We should support CreateThis in the FTL
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2018-06-02  Filip Pizlo  <fpizlo@apple.com>
2
3         We should support CreateThis in the FTL
4         https://bugs.webkit.org/show_bug.cgi?id=164904
5
6         Reviewed by Yusuke Suzuki.
7         
8         This started with Saam's patch to implement CreateThis in the FTL, but turned into a type
9         inference adventure.
10         
11         CreateThis in the FTL was a massive regression in raytrace because it disturbed that
12         benchmark's extremely perverse way of winning at type inference:
13         
14         - The benchmark wanted polyvariant devirtualization of an object construction helper. But,
15           the polyvariant profiler wasn't powerful enough to reliably devirtualize that code. So, the
16           benchmark was falling back to other mechanisms...
17         
18         - The construction helper could not tier up into the FTL. When the DFG compiled it, it would
19           see that the IC had 4 cases. That's too polymorphic for the DFG. So, the DFG would emit a
20           GetById. Shortly after the DFG compile, that get_by_id would see many more cases, but now
21           that the helper was compiled by the DFG, the baseline get_by_id would not see those cases.
22           The DFG's GetById would "hide" those cases. The number of cases the DFG's GetById would see
23           is larger than our polymorphic list limit (limit = 8, case count = 13, I think).
24           
25           Note that if the FTL compiles that construction helper, it sees the 4 cases, turns them
26           into a MultiGetByOffset, then suffers from exits when the new cases hit, and then exits to
27           baseline, which then sees those cases. Luckily, the FTL was not compiling the construction
28           helper because it had a CreateThis.
29         
30         - Compilations that inlined the construction helper would have gotten super lucky with
31           parse-time constant folding, so they knew what structure the input to the get_by_id would
32           have at parse time. This is only profitable if the get_by_id parsing computed a
33           GetByIdStatus that had a finite number of cases. Because the 13 cases were being hidden by
34           the DFG GetById and GetByIdStatus would only look at the baseline get_by_id, which had 4
35           cases, we would indeed get a finite number of cases. The parser would then prune those
36           cases to just one - based on its knowledge of the structure - and that would result in that
37           get_by_id being folded at parse time to a constant.
38         
39         - The subsequent op_call would inline based on parse-time knowledge of that constant.
40         
41         This patch comprehensively fixes these issues, as well as other issues that come up along the
42         way. The short version is that raytrace was revealing sloppiness in our use of profiling for
43         type inference. This patch fixes the sloppiness by vastly expanding *polyvariant* profiling,
44         i.e. the profiling that considers call context. I was encouraged to do this by the fact that
45         even the old version of polyvariant profiling was a speed-up on JetStream, ARES-6, and
46         Speedometer 2 (it's easy to measure since it's a runtime flag). So, it seemed worthwhile to
47         attack raytrace's problem as a shortcoming of polyvariant profiling.
48         
49         - Polyvariant profiling now consults every DFG or FTL code block that participated in any
50           subset of the inline stack that includes the IC we're profiling. For example, if we have
51           an inline stack like foo->bar->baz, with baz on top, then we will consult DFG or FTL
52           compilations for foo, bar, and baz. In foo, we'll look up foo->bar->baz; in bar we'll look
53           up bar->baz; etc. This fixes two problems encountered in raytrace. First, it ensures that
54           a DFG GetById cannot hide anything from the profiling of that get_by_id, since the
55           polyvariant profiling code will always consult it. Second, it enables raytrace to benefit
56           from polyvariant profling. Previously, the polyvariant profiler would only look at the
57           previous DFG compilation of foo and look up foo->bar->baz. But that only works if DFG-foo
58           had inlined bar and then baz. It may not have done that, because those calls could have
59           required polyvariant profiling that was only available in the FTL.
60           
61         - A particularly interesting case is when some IC in foo-baseline is also available in
62           foo-DFG. This case is encountered by the polyvariant profiler as it walks the inline stack.
63           In the case of gathering profiling for foo-FTL, the polyvariant profiler finds foo-DFG via
64           the trivial case of no inline stack. This also means that if foo ever gets inlined, we will
65           find foo-DFG or foo-FTL in the final case of polyvariant profiling. In those cases, we now
66           merge the IC of foo-baseline and foo-DFG. This avoids lots of unnecessary recompilations,
67           because it warns us of historical polymorphism. Historical polymorphism usually means
68           future polymorphism. IC status code already had some merging functionality, but I needed to
69           beef it up a lot to make this work right.
70         
71         - Inlining an inline cache now preserves as much information as profiling. One challenge of
72           polyvariant profiling is that the FTL compile for bar (that includes bar->baz) could have
73           inlined an inline cache based on polyvariant profiling. So, when the FTL compile for foo
74           (that includes foo->bar->baz) asks bar what it knows about that IC inside bar->baz, it will
75           say "I don't have such an IC". At this point the DFG compilation that included that IC that
76           gave us the information that we used to inline the IC is no longer alive. To keep us from
77           losing the information we learned about the IC, there is now a RecordedStatuses data
78           structure that preserves the statuses we use for inlining ICs. We also filter those
79           statuses according to things we learn from AI. This further reduces the risk of information
80           about an IC being forgotten.
81         
82         - Exit profiling now considers whether or not an exit happened from inline code. This
83           protects us in the case where the not-inlined version of an IC exited a lot because of
84           polymorphism that doesn't exist in the inlined version. So, when using polyvariant
85           profiling data, we consider only inlined exits.
86         
87         - CallLinkInfo now records when it's repatched to the virtual call thunk. Previously, this
88           would clear the CallLinkInfo, so CallLinkStatus would fall back to the lastSeenCallee. It's
89           surprising that we've had this bug.
90         
91         Altogether this patch is performance-neutral in run-jsc-benchmarks, except for speed-ups in
92         microbenchmarks and a compile time regression. Octane/deltablue speeds up by ~5%.
93         Octane/raytrace is regressed by a minuscule amount, which we could make up by implementing
94         prototype access folding in the bytecode parser and constant folder. That would require some
95         significant new logic in GetByIdStatus. That would also require a new benchmark - we want to
96         have a test that captures raytrace's behavior in the case that the parser cannot fold the
97         get_by_id.
98         
99         This change is a 1.2% regression on V8Spider-CompileTime. That's a smaller regression than
100         recent compile time progressions, so I think that's an OK trade-off. Also, I would expect a
101         compile time regression anytime we fill in FTL coverage.
102         
103         This is neutral on JetStream, ARES-6, and Speedometer2. JetStream agrees that deltablue
104         speeds up and that raytrace slows down, but these changes balance out and don't affect the
105         overall score. In ARES-6, it looks like individual tests have some significant 1-2% speed-ups
106         or slow-downs. Air-steady is definitely ~1.5% faster. Basic-worst is probably 2% slower (p ~
107         0.1, so it's not very certain). The JetStream, ARES-6, and Speedometer2 overall scores don't
108         see a significant difference. In all three cases the difference is <0.5% with a high p value,
109         with JetStream and Speedometer2 being insignificant infinitesimal speed-ups and ARES-6 being
110         an insignificant infinitesimal slow-down.
111         
112         Oh, and this change means that the FTL now has 100% coverage of JavaScript. You could do an
113         eval in a for-in loop in a for-of loop inside a with block that uses try/catch for control
114         flow in a polymorphic constructor while having a bad time, and we'll still compile it.
115
116         * CMakeLists.txt:
117         * JavaScriptCore.xcodeproj/project.pbxproj:
118         * Sources.txt:
119         * bytecode/ByValInfo.h:
120         * bytecode/BytecodeDumper.cpp:
121         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
122         (JSC::BytecodeDumper<Block>::printPutByIdCacheStatus):
123         (JSC::BytecodeDumper<Block>::printInByIdCacheStatus):
124         (JSC::BytecodeDumper<Block>::dumpCallLinkStatus):
125         (JSC::BytecodeDumper<CodeBlock>::dumpCallLinkStatus):
126         (JSC::BytecodeDumper<Block>::printCallOp):
127         (JSC::BytecodeDumper<Block>::dumpBytecode):
128         (JSC::BytecodeDumper<Block>::dumpBlock):
129         * bytecode/BytecodeDumper.h:
130         * bytecode/CallLinkInfo.h:
131         * bytecode/CallLinkStatus.cpp:
132         (JSC::CallLinkStatus::computeFor):
133         (JSC::CallLinkStatus::computeExitSiteData):
134         (JSC::CallLinkStatus::computeFromCallLinkInfo):
135         (JSC::CallLinkStatus::accountForExits):
136         (JSC::CallLinkStatus::finalize):
137         (JSC::CallLinkStatus::filter):
138         (JSC::CallLinkStatus::computeDFGStatuses): Deleted.
139         * bytecode/CallLinkStatus.h:
140         (JSC::CallLinkStatus::operator bool const):
141         (JSC::CallLinkStatus::operator! const): Deleted.
142         * bytecode/CallVariant.cpp:
143         (JSC::CallVariant::finalize):
144         (JSC::CallVariant::filter):
145         * bytecode/CallVariant.h:
146         (JSC::CallVariant::operator bool const):
147         (JSC::CallVariant::operator! const): Deleted.
148         * bytecode/CodeBlock.cpp:
149         (JSC::CodeBlock::dumpBytecode):
150         (JSC::CodeBlock::propagateTransitions):
151         (JSC::CodeBlock::finalizeUnconditionally):
152         (JSC::CodeBlock::getICStatusMap):
153         (JSC::CodeBlock::resetJITData):
154         (JSC::CodeBlock::getStubInfoMap): Deleted.
155         (JSC::CodeBlock::getCallLinkInfoMap): Deleted.
156         (JSC::CodeBlock::getByValInfoMap): Deleted.
157         * bytecode/CodeBlock.h:
158         * bytecode/CodeOrigin.cpp:
159         (JSC::CodeOrigin::isApproximatelyEqualTo const):
160         (JSC::CodeOrigin::approximateHash const):
161         * bytecode/CodeOrigin.h:
162         (JSC::CodeOrigin::exitingInlineKind const):
163         * bytecode/DFGExitProfile.cpp:
164         (JSC::DFG::FrequentExitSite::dump const):
165         (JSC::DFG::ExitProfile::add):
166         * bytecode/DFGExitProfile.h:
167         (JSC::DFG::FrequentExitSite::FrequentExitSite):
168         (JSC::DFG::FrequentExitSite::operator== const):
169         (JSC::DFG::FrequentExitSite::subsumes const):
170         (JSC::DFG::FrequentExitSite::hash const):
171         (JSC::DFG::FrequentExitSite::inlineKind const):
172         (JSC::DFG::FrequentExitSite::withInlineKind const):
173         (JSC::DFG::QueryableExitProfile::hasExitSite const):
174         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificJITType const):
175         (JSC::DFG::QueryableExitProfile::hasExitSiteWithSpecificInlineKind const):
176         * bytecode/ExitFlag.cpp: Added.
177         (JSC::ExitFlag::dump const):
178         * bytecode/ExitFlag.h: Added.
179         (JSC::ExitFlag::ExitFlag):
180         (JSC::ExitFlag::operator| const):
181         (JSC::ExitFlag::operator|=):
182         (JSC::ExitFlag::operator& const):
183         (JSC::ExitFlag::operator&=):
184         (JSC::ExitFlag::operator bool const):
185         (JSC::ExitFlag::isSet const):
186         * bytecode/ExitingInlineKind.cpp: Added.
187         (WTF::printInternal):
188         * bytecode/ExitingInlineKind.h: Added.
189         * bytecode/GetByIdStatus.cpp:
190         (JSC::GetByIdStatus::computeFor):
191         (JSC::GetByIdStatus::computeForStubInfo):
192         (JSC::GetByIdStatus::slowVersion const):
193         (JSC::GetByIdStatus::markIfCheap):
194         (JSC::GetByIdStatus::finalize):
195         (JSC::GetByIdStatus::hasExitSite): Deleted.
196         * bytecode/GetByIdStatus.h:
197         * bytecode/GetByIdVariant.cpp:
198         (JSC::GetByIdVariant::markIfCheap):
199         (JSC::GetByIdVariant::finalize):
200         * bytecode/GetByIdVariant.h:
201         * bytecode/ICStatusMap.cpp: Added.
202         (JSC::ICStatusContext::get const):
203         (JSC::ICStatusContext::isInlined const):
204         (JSC::ICStatusContext::inlineKind const):
205         * bytecode/ICStatusMap.h: Added.
206         * bytecode/ICStatusUtils.cpp: Added.
207         (JSC::hasBadCacheExitSite):
208         * bytecode/ICStatusUtils.h:
209         * bytecode/InstanceOfStatus.cpp:
210         (JSC::InstanceOfStatus::computeFor):
211         * bytecode/InstanceOfStatus.h:
212         * bytecode/PolyProtoAccessChain.h:
213         * bytecode/PutByIdStatus.cpp:
214         (JSC::PutByIdStatus::hasExitSite):
215         (JSC::PutByIdStatus::computeFor):
216         (JSC::PutByIdStatus::slowVersion const):
217         (JSC::PutByIdStatus::markIfCheap):
218         (JSC::PutByIdStatus::finalize):
219         (JSC::PutByIdStatus::filter):
220         * bytecode/PutByIdStatus.h:
221         * bytecode/PutByIdVariant.cpp:
222         (JSC::PutByIdVariant::markIfCheap):
223         (JSC::PutByIdVariant::finalize):
224         * bytecode/PutByIdVariant.h:
225         (JSC::PutByIdVariant::structureSet const):
226         * bytecode/RecordedStatuses.cpp: Added.
227         (JSC::RecordedStatuses::operator=):
228         (JSC::RecordedStatuses::RecordedStatuses):
229         (JSC::RecordedStatuses::addCallLinkStatus):
230         (JSC::RecordedStatuses::addGetByIdStatus):
231         (JSC::RecordedStatuses::addPutByIdStatus):
232         (JSC::RecordedStatuses::markIfCheap):
233         (JSC::RecordedStatuses::finalizeWithoutDeleting):
234         (JSC::RecordedStatuses::finalize):
235         (JSC::RecordedStatuses::shrinkToFit):
236         * bytecode/RecordedStatuses.h: Added.
237         (JSC::RecordedStatuses::RecordedStatuses):
238         (JSC::RecordedStatuses::forEachVector):
239         * bytecode/StructureSet.cpp:
240         (JSC::StructureSet::markIfCheap const):
241         (JSC::StructureSet::isStillAlive const):
242         * bytecode/StructureSet.h:
243         * bytecode/TerminatedCodeOrigin.h: Added.
244         (JSC::TerminatedCodeOrigin::TerminatedCodeOrigin):
245         (JSC::TerminatedCodeOriginHashTranslator::hash):
246         (JSC::TerminatedCodeOriginHashTranslator::equal):
247         * bytecode/Watchpoint.cpp:
248         (WTF::printInternal):
249         * bytecode/Watchpoint.h:
250         * dfg/DFGAbstractInterpreter.h:
251         * dfg/DFGAbstractInterpreterInlines.h:
252         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
253         (JSC::DFG::AbstractInterpreter<AbstractStateType>::filterICStatus):
254         * dfg/DFGByteCodeParser.cpp:
255         (JSC::DFG::ByteCodeParser::handleCall):
256         (JSC::DFG::ByteCodeParser::handleVarargsCall):
257         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
258         (JSC::DFG::ByteCodeParser::handleModuleNamespaceLoad):
259         (JSC::DFG::ByteCodeParser::handleGetById):
260         (JSC::DFG::ByteCodeParser::handlePutById):
261         (JSC::DFG::ByteCodeParser::parseBlock):
262         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
263         (JSC::DFG::ByteCodeParser::InlineStackEntry::~InlineStackEntry):
264         (JSC::DFG::ByteCodeParser::parse):
265         * dfg/DFGClobberize.h:
266         (JSC::DFG::clobberize):
267         * dfg/DFGClobbersExitState.cpp:
268         (JSC::DFG::clobbersExitState):
269         * dfg/DFGCommonData.h:
270         * dfg/DFGConstantFoldingPhase.cpp:
271         (JSC::DFG::ConstantFoldingPhase::foldConstants):
272         * dfg/DFGDesiredWatchpoints.h:
273         (JSC::DFG::SetPointerAdaptor::hasBeenInvalidated):
274         * dfg/DFGDoesGC.cpp:
275         (JSC::DFG::doesGC):
276         * dfg/DFGFixupPhase.cpp:
277         (JSC::DFG::FixupPhase::fixupNode):
278         * dfg/DFGGraph.cpp:
279         (JSC::DFG::Graph::dump):
280         * dfg/DFGMayExit.cpp:
281         * dfg/DFGNode.h:
282         (JSC::DFG::Node::hasCallLinkStatus):
283         (JSC::DFG::Node::callLinkStatus):
284         (JSC::DFG::Node::hasGetByIdStatus):
285         (JSC::DFG::Node::getByIdStatus):
286         (JSC::DFG::Node::hasPutByIdStatus):
287         (JSC::DFG::Node::putByIdStatus):
288         * dfg/DFGNodeType.h:
289         * dfg/DFGOSRExitBase.cpp:
290         (JSC::DFG::OSRExitBase::considerAddingAsFrequentExitSiteSlow):
291         * dfg/DFGObjectAllocationSinkingPhase.cpp:
292         * dfg/DFGPlan.cpp:
293         (JSC::DFG::Plan::reallyAdd):
294         (JSC::DFG::Plan::checkLivenessAndVisitChildren):
295         (JSC::DFG::Plan::finalizeInGC):
296         * dfg/DFGPlan.h:
297         * dfg/DFGPredictionPropagationPhase.cpp:
298         * dfg/DFGSafeToExecute.h:
299         (JSC::DFG::safeToExecute):
300         * dfg/DFGSpeculativeJIT32_64.cpp:
301         (JSC::DFG::SpeculativeJIT::compile):
302         * dfg/DFGSpeculativeJIT64.cpp:
303         (JSC::DFG::SpeculativeJIT::compile):
304         * dfg/DFGStrengthReductionPhase.cpp:
305         (JSC::DFG::StrengthReductionPhase::handleNode):
306         * dfg/DFGWorklist.cpp:
307         (JSC::DFG::Worklist::removeDeadPlans):
308         * ftl/FTLAbstractHeapRepository.h:
309         * ftl/FTLCapabilities.cpp:
310         (JSC::FTL::canCompile):
311         * ftl/FTLLowerDFGToB3.cpp:
312         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
313         (JSC::FTL::DFG::LowerDFGToB3::compileCreateThis):
314         (JSC::FTL::DFG::LowerDFGToB3::compileFilterICStatus):
315         * jit/PolymorphicCallStubRoutine.cpp:
316         (JSC::PolymorphicCallStubRoutine::hasEdges const):
317         (JSC::PolymorphicCallStubRoutine::edges const):
318         * jit/PolymorphicCallStubRoutine.h:
319         * profiler/ProfilerBytecodeSequence.cpp:
320         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
321         * runtime/FunctionRareData.cpp:
322         (JSC::FunctionRareData::initializeObjectAllocationProfile):
323         * runtime/Options.h:
324
325 2018-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
326
327         [JSC] Use Function / ScopedLambda / RecursableLambda instead of std::function
328         https://bugs.webkit.org/show_bug.cgi?id=187472
329
330         Reviewed by Mark Lam.
331
332         std::function allocates memory from standard malloc instead of bmalloc. Instead of
333         using that, we should use WTF::{Function,ScopedLambda,RecursableLambda}.
334
335         This patch attempts to replace std::function with the above WTF function types.
336         If the function's lifetime can be the same to the stack, we can use ScopedLambda, which
337         is really efficient. Otherwise, we should use WTF::Function.
338         For recurring use cases, we can use RecursableLambda.
339
340         * assembler/MacroAssembler.cpp:
341         (JSC::stdFunctionCallback):
342         (JSC::MacroAssembler::probe):
343         * assembler/MacroAssembler.h:
344         * b3/air/AirDisassembler.cpp:
345         (JSC::B3::Air::Disassembler::dump):
346         * b3/air/AirDisassembler.h:
347         * bytecompiler/BytecodeGenerator.cpp:
348         (JSC::BytecodeGenerator::BytecodeGenerator):
349         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
350         (JSC::BytecodeGenerator::emitEnumeration):
351         * bytecompiler/BytecodeGenerator.h:
352         * bytecompiler/NodesCodegen.cpp:
353         (JSC::ArrayNode::emitBytecode):
354         (JSC::ApplyFunctionCallDotNode::emitBytecode):
355         (JSC::ForOfNode::emitBytecode):
356         * dfg/DFGSpeculativeJIT.cpp:
357         (JSC::DFG::SpeculativeJIT::addSlowPathGeneratorLambda):
358         (JSC::DFG::SpeculativeJIT::compileMathIC):
359         * dfg/DFGSpeculativeJIT.h:
360         * dfg/DFGSpeculativeJIT64.cpp:
361         (JSC::DFG::SpeculativeJIT::compile):
362         * dfg/DFGValidate.cpp:
363         * ftl/FTLCompile.cpp:
364         (JSC::FTL::compile):
365         * heap/HeapSnapshotBuilder.cpp:
366         (JSC::HeapSnapshotBuilder::json):
367         * heap/HeapSnapshotBuilder.h:
368         * interpreter/StackVisitor.cpp:
369         (JSC::StackVisitor::Frame::dump const):
370         * interpreter/StackVisitor.h:
371         * runtime/PromiseDeferredTimer.h:
372         * runtime/VM.cpp:
373         (JSC::VM::whenIdle):
374         (JSC::enableProfilerWithRespectToCount):
375         (JSC::disableProfilerWithRespectToCount):
376         * runtime/VM.h:
377         * runtime/VMEntryScope.cpp:
378         (JSC::VMEntryScope::addDidPopListener):
379         * runtime/VMEntryScope.h:
380         * tools/HeapVerifier.cpp:
381         (JSC::HeapVerifier::verifyCellList):
382         (JSC::HeapVerifier::validateCell):
383         (JSC::HeapVerifier::validateJSCell):
384         * tools/HeapVerifier.h:
385
386 2018-07-20  Michael Saboff  <msaboff@apple.com>
387
388         DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
389         https://bugs.webkit.org/show_bug.cgi?id=187827
390         rdar://problem/42146858
391
392         Reviewed by Saam Barati.
393
394         When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
395         that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
396         We can't end up with other shapes, Int32, Double, etc because GenericArguments sets 
397         InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
398         putByIndex() path that doesn't change the shape.
399
400         * dfg/DFGArrayMode.h:
401         (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
402
403 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
404
405         [DFG] Fold GetByVal if Array is CoW
406         https://bugs.webkit.org/show_bug.cgi?id=186459
407
408         Reviewed by Saam Barati.
409
410         CoW indexing type means that we now tracks the changes in CoW Array by structure. So DFG has a chance to
411         fold GetByVal if the given array is CoW. This patch folds GetByVal onto the CoW Array. If the structure
412         is watched and the butterfly is JSImmutableButterfly, we can load the value from this butterfly.
413
414         This can be useful since these CoW arrays are used for a storage for constants. Constant-indexed access
415         to these constant arrays can be folded into an actual constant by this patch.
416
417                                            baseline                  patched
418
419         template_string.es6          4993.9853+-147.5308   ^    824.1685+-44.1839       ^ definitely 6.0594x faster
420         template_string_tag.es5        67.0822+-2.0100     ^      9.3540+-0.5376        ^ definitely 7.1715x faster
421
422         * dfg/DFGAbstractInterpreterInlines.h:
423         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
424
425 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
426
427         [JSC] Remove cellLock in JSObject::convertContiguousToArrayStorage
428         https://bugs.webkit.org/show_bug.cgi?id=186602
429
430         Reviewed by Saam Barati.
431
432         JSObject::convertContiguousToArrayStorage's cellLock() is not necessary since we do not
433         change the part of the butterfly, length etc. We prove that our procedure is safe, and
434         drop the cellLock() here.
435
436         * runtime/JSObject.cpp:
437         (JSC::JSObject::convertContiguousToArrayStorage):
438
439 2018-07-20  Saam Barati  <sbarati@apple.com>
440
441         CompareEq should be using KnownOtherUse instead of OtherUse
442         https://bugs.webkit.org/show_bug.cgi?id=186814
443         <rdar://problem/39720030>
444
445         Reviewed by Filip Pizlo.
446
447         CompareEq in fixup phase was doing this:
448         insertCheck(child, OtherUse)
449         setUseKind(child, OtherUse)
450         And in the DFG/FTL backend, it would not emit a check for OtherUse. This could
451         lead to edge verification crashing because a phase may optimize the check out
452         by removing the node. However, AI may not be privy to that optimization, and
453         AI may think the incoming value may not be Other. AI is expecting the DFG/FTL
454         backend to actually emit a check here, but it does not.
455         
456         This exact pattern is why we have KnownXYZ use kinds. This patch introduces
457         KnownOtherUse and changes the above pattern to be:
458         insertCheck(child, OtherUse)
459         setUseKind(child, KnownOtherUse)
460
461         * dfg/DFGFixupPhase.cpp:
462         (JSC::DFG::FixupPhase::fixupNode):
463         * dfg/DFGSafeToExecute.h:
464         (JSC::DFG::SafeToExecuteEdge::operator()):
465         * dfg/DFGSpeculativeJIT.cpp:
466         (JSC::DFG::SpeculativeJIT::speculate):
467         * dfg/DFGUseKind.cpp:
468         (WTF::printInternal):
469         * dfg/DFGUseKind.h:
470         (JSC::DFG::typeFilterFor):
471         (JSC::DFG::shouldNotHaveTypeCheck):
472         (JSC::DFG::checkMayCrashIfInputIsEmpty):
473         * dfg/DFGWatchpointCollectionPhase.cpp:
474         (JSC::DFG::WatchpointCollectionPhase::handle):
475         * ftl/FTLCapabilities.cpp:
476         (JSC::FTL::canCompile):
477         * ftl/FTLLowerDFGToB3.cpp:
478         (JSC::FTL::DFG::LowerDFGToB3::compileCompareEq):
479         (JSC::FTL::DFG::LowerDFGToB3::speculate):
480
481 2018-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
482
483         [JSC] A bit performance improvement for Object.assign by cleaning up code
484         https://bugs.webkit.org/show_bug.cgi?id=187852
485
486         Reviewed by Saam Barati.
487
488         We clean up Object.assign code a bit.
489
490         1. Vector and MarkedArgumentBuffer are extracted out from the loop since repeatedly creating MarkedArgumentBuffer is costly.
491         2. canDoFastPath is not necessary. Restructuring the code to clean up things.
492
493         It improves the performance a bit.
494
495                                     baseline                  patched
496
497         object-assign.es6      237.7719+-5.5175          231.2856+-4.6907          might be 1.0280x faster
498
499         * runtime/ObjectConstructor.cpp:
500         (JSC::objectConstructorAssign):
501
502 2018-07-19  Carlos Garcia Campos  <cgarcia@igalia.com>
503
504         [GLIB] jsc_context_evaluate_in_object() should receive an instance when a JSCClass is given
505         https://bugs.webkit.org/show_bug.cgi?id=187798
506
507         Reviewed by Michael Catanzaro.
508
509         Because a JSCClass is pretty much useless without an instance in this case. It should be similar to
510         jsc_value_new_object() because indeed we are creating a new object. This makes destroy function and vtable
511         functions to work. We can't use JSAPIWrapperObject to wrap this object, because it's a global object, so this
512         patch adds JSAPIWrapperGlobalObject or that.
513
514         * API/glib/JSAPIWrapperGlobalObject.cpp: Added.
515         (jsAPIWrapperGlobalObjectHandleOwner):
516         (JSAPIWrapperGlobalObjectHandleOwner::finalize):
517         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::createStructure):
518         (JSC::JSCallbackObject<JSAPIWrapperGlobalObject>::create):
519         (JSC::JSAPIWrapperGlobalObject::JSAPIWrapperGlobalObject):
520         (JSC::JSAPIWrapperGlobalObject::finishCreation):
521         (JSC::JSAPIWrapperGlobalObject::visitChildren):
522         * API/glib/JSAPIWrapperGlobalObject.h: Added.
523         (JSC::JSAPIWrapperGlobalObject::wrappedObject const):
524         (JSC::JSAPIWrapperGlobalObject::setWrappedObject):
525         * API/glib/JSCClass.cpp:
526         (isWrappedObject): Helper to check if the given object is a JSAPIWrapperObject or JSAPIWrapperGlobalObject.
527         (wrappedObjectClass): Return the class of a wrapped object.
528         (jscContextForObject): Get the execution context of an object. If the object is a JSAPIWrapperGlobalObject, the
529         scope extension global object is used instead.
530         (getProperty): Use isWrappedObject, wrappedObjectClass and jscContextForObject.
531         (setProperty): Ditto.
532         (hasProperty): Ditto.
533         (deleteProperty): Ditto.
534         (getPropertyNames): Ditto.
535         (jscClassCreateContextWithJSWrapper): Call jscContextCreateContextWithJSWrapper().
536         * API/glib/JSCClassPrivate.h:
537         * API/glib/JSCContext.cpp:
538         (jscContextCreateContextWithJSWrapper): Call WrapperMap::createContextWithJSWrappper().
539         (jsc_context_evaluate_in_object): Use jscClassCreateContextWithJSWrapper() when a JSCClass is given.
540         * API/glib/JSCContext.h:
541         * API/glib/JSCContextPrivate.h:
542         * API/glib/JSCWrapperMap.cpp:
543         (JSC::WrapperMap::createContextWithJSWrappper): Create the new context for jsc_context_evaluate_in_object() here
544         when a JSCClass is used to create the JSAPIWrapperGlobalObject.
545         (JSC::WrapperMap::wrappedObject const): Return the wrapped object also in case of JSAPIWrapperGlobalObject.
546         * API/glib/JSCWrapperMap.h:
547         * GLib.cmake:
548
549 2018-07-19  Saam Barati  <sbarati@apple.com>
550
551         Conservatively make Object.assign's fast path do a two phase protocol of loading everything then storing everything to try to prevent a crash
552         https://bugs.webkit.org/show_bug.cgi?id=187836
553         <rdar://problem/42409527>
554
555         Reviewed by Mark Lam.
556
557         We have crash reports that we're crashing on source->getDirect in Object.assign's
558         fast path. Mark investigated this and determined we end up with a nullptr for
559         butterfly. This is curious, because source's Structure indicated that it has
560         out of line properties. My leading hypothesis for this at the moment is a bit
561         handwavy, but it's essentially:
562         - We end up firing a watchpoint when assigning to the target (this can happen
563         if a watchpoint was set up for storing to that particular field)
564         - When we fire that watchpoint, we end up doing some kind work on the source,
565         perhaps causing it to flattenDictionaryStructure. Therefore, we end up
566         mutating source.
567         
568         I'm not super convinced this is what we're running into, but just by reading
569         the code, I think it needs to be something similar to this. Seeing if this change
570         fixes the crasher will give us good data to determine if something like this is
571         happening or if the bug is something else entirely.
572
573         * runtime/ObjectConstructor.cpp:
574         (JSC::objectConstructorAssign):
575
576 2018-07-19  Commit Queue  <commit-queue@webkit.org>
577
578         Unreviewed, rolling out r233998.
579         https://bugs.webkit.org/show_bug.cgi?id=187815
580
581         Not needed. (Requested by mlam|a on #webkit).
582
583         Reverted changeset:
584
585         "Temporarily mitigate a bug where a source provider is null
586         when it shouldn't be."
587         https://bugs.webkit.org/show_bug.cgi?id=187812
588         https://trac.webkit.org/changeset/233998
589
590 2018-07-19  Mark Lam  <mark.lam@apple.com>
591
592         Temporarily mitigate a bug where a source provider is null when it shouldn't be.
593         https://bugs.webkit.org/show_bug.cgi?id=187812
594         <rdar://problem/41192691>
595
596         Reviewed by Michael Saboff.
597
598         Adding a null check to temporarily mitigate https://bugs.webkit.org/show_bug.cgi?id=187811.
599
600         * runtime/Error.cpp:
601         (JSC::addErrorInfo):
602
603 2018-07-19  Keith Rollin  <krollin@apple.com>
604
605         Adjust WEBCORE_EXPORT annotations for LTO
606         https://bugs.webkit.org/show_bug.cgi?id=187781
607         <rdar://problem/42351124>
608
609         Reviewed by Alex Christensen.
610
611         Continuation of Bug 186944. This bug addresses issues not caught
612         during the first pass of adjustments. The initial work focussed on
613         macOS; this one addresses issues found when building for iOS. From
614         186944:
615
616         Adjust a number of places that result in WebKit's
617         'check-for-weak-vtables-and-externals' script reporting weak external
618         symbols:
619
620             ERROR: WebCore has a weak external symbol in it (/Volumes/Data/dev/webkit/OpenSource/WebKitBuild/Release/WebCore.framework/Versions/A/WebCore)
621             ERROR: A weak external symbol is generated when a symbol is defined in multiple compilation units and is also marked as being exported from the library.
622             ERROR: A common cause of weak external symbols is when an inline function is listed in the linker export file.
623             ...
624
625         These cases are caused by inline methods being marked with WTF_EXPORT
626         (or related macro) or with an inline function being in a class marked
627         as such, and when enabling LTO builds.
628
629         For the most part, address these by removing the WEBCORE_EXPORT
630         annotation from inline methods. In some cases, move the implementation
631         out-of-line because it's the class that has the WEBCORE_EXPORT on it
632         and removing the annotation from the class would be too disruptive.
633         Finally, in other cases, move the implementation out-of-line because
634         check-for-weak-vtables-and-externals still complains when keeping the
635         implementation inline and removing the annotation; this seems to
636         typically (but not always) happen with destructors.
637
638         * inspector/remote/RemoteAutomationTarget.cpp:
639         (Inspector::RemoteAutomationTarget::~RemoteAutomationTarget):
640         * inspector/remote/RemoteAutomationTarget.h:
641         * inspector/remote/RemoteInspector.cpp:
642         (Inspector::RemoteInspector::Client::~Client):
643         * inspector/remote/RemoteInspector.h:
644
645 2018-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
646
647         Unreviewed, check scope after performing getPropertySlot in JSON.stringify
648         https://bugs.webkit.org/show_bug.cgi?id=187807
649
650         Properly putting EXCEPTION_ASSERT to tell our exception checker mechanism
651         that we know that exception occurrence and handle it well.
652
653         * runtime/JSONObject.cpp:
654         (JSC::Stringifier::Holder::appendNextProperty):
655
656 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
657
658         [JSC] Reduce size of AST nodes
659         https://bugs.webkit.org/show_bug.cgi?id=187689
660
661         Reviewed by Mark Lam.
662
663         We clean up AST nodes to reduce size. By doing so, we can reduce the memory consumption
664         of ParserArena at peak state.
665
666         1. Annotate `final` to AST nodes to make them solid. And it allows the compiler to
667         devirtualize a call to the function which are implemented in a final class.
668
669         2. Use default member initializers more.
670
671         3. And use `nullptr` instead of `0`.
672
673         4. Arrange the layout of AST nodes to reduce the size. It includes changing the order
674         of classes in multiple inheritance. In particular, StatementNode is decreased from 48
675         to 40. This decreases the sizes of all the derived Statement nodes.
676
677         * parser/NodeConstructors.h:
678         (JSC::Node::Node):
679         (JSC::StatementNode::StatementNode):
680         (JSC::ElementNode::ElementNode):
681         (JSC::ArrayNode::ArrayNode):
682         (JSC::PropertyListNode::PropertyListNode):
683         (JSC::ObjectLiteralNode::ObjectLiteralNode):
684         (JSC::ArgumentListNode::ArgumentListNode):
685         (JSC::ArgumentsNode::ArgumentsNode):
686         (JSC::NewExprNode::NewExprNode):
687         (JSC::BytecodeIntrinsicNode::BytecodeIntrinsicNode):
688         (JSC::BinaryOpNode::BinaryOpNode):
689         (JSC::LogicalOpNode::LogicalOpNode):
690         (JSC::CommaNode::CommaNode):
691         (JSC::SourceElements::SourceElements):
692         (JSC::ClauseListNode::ClauseListNode):
693         * parser/Nodes.cpp:
694         (JSC::FunctionMetadataNode::FunctionMetadataNode):
695         (JSC::FunctionMetadataNode::operator== const):
696         (JSC::FunctionMetadataNode::dump const):
697         * parser/Nodes.h:
698         (JSC::BooleanNode::value): Deleted.
699         (JSC::StringNode::value): Deleted.
700         (JSC::TemplateExpressionListNode::value): Deleted.
701         (JSC::TemplateExpressionListNode::next): Deleted.
702         (JSC::TemplateStringNode::cooked): Deleted.
703         (JSC::TemplateStringNode::raw): Deleted.
704         (JSC::TemplateStringListNode::value): Deleted.
705         (JSC::TemplateStringListNode::next): Deleted.
706         (JSC::TemplateLiteralNode::templateStrings const): Deleted.
707         (JSC::TemplateLiteralNode::templateExpressions const): Deleted.
708         (JSC::TaggedTemplateNode::templateLiteral const): Deleted.
709         (JSC::ResolveNode::identifier const): Deleted.
710         (JSC::ElementNode::elision const): Deleted.
711         (JSC::ElementNode::value): Deleted.
712         (JSC::ElementNode::next): Deleted.
713         (JSC::ArrayNode::elements const): Deleted.
714         (JSC::PropertyNode::expressionName const): Deleted.
715         (JSC::PropertyNode::name const): Deleted.
716         (JSC::PropertyNode::type const): Deleted.
717         (JSC::PropertyNode::needsSuperBinding const): Deleted.
718         (JSC::PropertyNode::isClassProperty const): Deleted.
719         (JSC::PropertyNode::isStaticClassProperty const): Deleted.
720         (JSC::PropertyNode::isInstanceClassProperty const): Deleted.
721         (JSC::PropertyNode::isOverriddenByDuplicate const): Deleted.
722         (JSC::PropertyNode::setIsOverriddenByDuplicate): Deleted.
723         (JSC::PropertyNode::putType const): Deleted.
724         (JSC::BracketAccessorNode::base const): Deleted.
725         (JSC::BracketAccessorNode::subscript const): Deleted.
726         (JSC::BracketAccessorNode::subscriptHasAssignments const): Deleted.
727         (JSC::DotAccessorNode::base const): Deleted.
728         (JSC::DotAccessorNode::identifier const): Deleted.
729         (JSC::SpreadExpressionNode::expression const): Deleted.
730         (JSC::ObjectSpreadExpressionNode::expression const): Deleted.
731         (JSC::BytecodeIntrinsicNode::type const): Deleted.
732         (JSC::BytecodeIntrinsicNode::emitter const): Deleted.
733         (JSC::BytecodeIntrinsicNode::identifier const): Deleted.
734         (JSC::TypeOfResolveNode::identifier const): Deleted.
735         (JSC::BitwiseNotNode::expr): Deleted.
736         (JSC::BitwiseNotNode::expr const): Deleted.
737         (JSC::AssignResolveNode::identifier const): Deleted.
738         (JSC::ExprStatementNode::expr const): Deleted.
739         (JSC::ForOfNode::isForAwait const): Deleted.
740         (JSC::ReturnNode::value): Deleted.
741         (JSC::ProgramNode::startColumn const): Deleted.
742         (JSC::ProgramNode::endColumn const): Deleted.
743         (JSC::EvalNode::startColumn const): Deleted.
744         (JSC::EvalNode::endColumn const): Deleted.
745         (JSC::ModuleProgramNode::startColumn const): Deleted.
746         (JSC::ModuleProgramNode::endColumn const): Deleted.
747         (JSC::ModuleProgramNode::moduleScopeData): Deleted.
748         (JSC::ModuleNameNode::moduleName): Deleted.
749         (JSC::ImportSpecifierNode::importedName): Deleted.
750         (JSC::ImportSpecifierNode::localName): Deleted.
751         (JSC::ImportSpecifierListNode::specifiers const): Deleted.
752         (JSC::ImportSpecifierListNode::append): Deleted.
753         (JSC::ImportDeclarationNode::specifierList const): Deleted.
754         (JSC::ImportDeclarationNode::moduleName const): Deleted.
755         (JSC::ExportAllDeclarationNode::moduleName const): Deleted.
756         (JSC::ExportDefaultDeclarationNode::declaration const): Deleted.
757         (JSC::ExportDefaultDeclarationNode::localName const): Deleted.
758         (JSC::ExportLocalDeclarationNode::declaration const): Deleted.
759         (JSC::ExportSpecifierNode::exportedName): Deleted.
760         (JSC::ExportSpecifierNode::localName): Deleted.
761         (JSC::ExportSpecifierListNode::specifiers const): Deleted.
762         (JSC::ExportSpecifierListNode::append): Deleted.
763         (JSC::ExportNamedDeclarationNode::specifierList const): Deleted.
764         (JSC::ExportNamedDeclarationNode::moduleName const): Deleted.
765         (JSC::ArrayPatternNode::appendIndex): Deleted.
766         (JSC::ObjectPatternNode::appendEntry): Deleted.
767         (JSC::ObjectPatternNode::setContainsRestElement): Deleted.
768         (JSC::ObjectPatternNode::setContainsComputedProperty): Deleted.
769         (JSC::DestructuringAssignmentNode::bindings): Deleted.
770         (JSC::FunctionParameters::size const): Deleted.
771         (JSC::FunctionParameters::append): Deleted.
772         (JSC::FunctionParameters::isSimpleParameterList const): Deleted.
773         (JSC::FuncDeclNode::metadata): Deleted.
774         (JSC::CaseClauseNode::expr const): Deleted.
775         (JSC::CaseClauseNode::setStartOffset): Deleted.
776         (JSC::ClauseListNode::getClause const): Deleted.
777         (JSC::ClauseListNode::getNext const): Deleted.
778         * runtime/ExceptionHelpers.cpp:
779         * runtime/JSObject.cpp:
780
781 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
782
783         JSON.stringify should emit non own properties if second array argument includes
784         https://bugs.webkit.org/show_bug.cgi?id=187724
785
786         Reviewed by Mark Lam.
787
788         According to the spec[1], JSON.stringify needs to retrieve properties by using [[Get]],
789         instead of [[GetOwnProperty]]. It means that we would look up a properties defined
790         in [[Prototype]] or upper objects in the prototype chain. While enumeration is done
791         by using EnumerableOwnPropertyNames typically, we can pass replacer array including
792         property names which does not reside in the own properties. Or we can modify the
793         own properties by deleting properties while JSON.stringify is calling a getter. So,
794         using [[Get]] instead of [[GetOwnProperty]] is user-visible.
795
796         This patch changes getOwnPropertySlot to getPropertySlot to align the behavior to the spec.
797         The performance of Kraken/json-stringify-tinderbox is neutral.
798
799         [1]: https://tc39.github.io/ecma262/#sec-serializejsonproperty
800
801         * runtime/JSONObject.cpp:
802         (JSC::Stringifier::toJSON):
803         (JSC::Stringifier::toJSONImpl):
804         (JSC::Stringifier::appendStringifiedValue):
805         (JSC::Stringifier::Holder::Holder):
806         (JSC::Stringifier::Holder::appendNextProperty):
807
808 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
809
810         [JSC] JSON.stringify's replacer should use `isArray` instead of JSArray checks
811         https://bugs.webkit.org/show_bug.cgi?id=187755
812
813         Reviewed by Mark Lam.
814
815         JSON.stringify used `inherits<JSArray>(vm)` to determine whether the given replacer is an array replacer.
816         But this is wrong. According to the spec, we should use `isArray`[1], which accepts Proxies. This difference
817         makes one test262 test failed.
818
819         This patch changes the code to using `isArray()`. And we reorder the evaluations of replacer check and ident space check
820         to align these checks to the spec's order.
821
822         [1]: https://tc39.github.io/ecma262/#sec-json.stringify
823
824         * runtime/JSONObject.cpp:
825         (JSC::Stringifier::Stringifier):
826
827 2018-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
828
829         [JSC] Root wrapper object in JSON.stringify is not necessary if replacer is not callable
830         https://bugs.webkit.org/show_bug.cgi?id=187752
831
832         Reviewed by Mark Lam.
833
834         JSON.stringify has an implicit root wrapper object since we would like to call replacer
835         with a wrapper object and a property name. While we always create this wrapper object,
836         it is unnecessary if the given replacer is not callable.
837
838         This patch removes wrapper object creation when a replacer is not callable to avoid unnecessary
839         allocations. This change slightly improves the performance of Kraken/json-stringify-tinderbox.
840
841                                            baseline                  patched
842
843         json-stringify-tinderbox        39.730+-0.590      ^      38.853+-0.266         ^ definitely 1.0226x faster
844
845         * runtime/JSONObject.cpp:
846         (JSC::Stringifier::isCallableReplacer const):
847         (JSC::Stringifier::Stringifier):
848         (JSC::Stringifier::stringify):
849         (JSC::Stringifier::appendStringifiedValue):
850
851 2018-07-18  Carlos Garcia Campos  <cgarcia@igalia.com>
852
853         [GLIB] Add jsc_context_check_syntax() to GLib API
854         https://bugs.webkit.org/show_bug.cgi?id=187694
855
856         Reviewed by Yusuke Suzuki.
857
858         A new function to be able to check for syntax errors without actually evaluating the code.
859
860         * API/glib/JSCContext.cpp:
861         (jsc_context_check_syntax):
862         * API/glib/JSCContext.h:
863         * API/glib/docs/jsc-glib-4.0-sections.txt:
864
865 2018-07-17  Keith Miller  <keith_miller@apple.com>
866
867         Revert r233630 since it broke internal wasm benchmarks
868         https://bugs.webkit.org/show_bug.cgi?id=187746
869
870         Unreviewed revert.
871
872         This patch seems to have broken internal Wasm benchmarks. This
873         issue is likely due to an underlying bug but let's rollout while
874         we investigate.
875
876         * bytecode/CodeType.h:
877         * bytecode/UnlinkedCodeBlock.cpp:
878         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
879         * bytecode/UnlinkedCodeBlock.h:
880         (JSC::UnlinkedCodeBlock::codeType const):
881         (JSC::UnlinkedCodeBlock::didOptimize const):
882         (JSC::UnlinkedCodeBlock::setDidOptimize):
883         * bytecode/VirtualRegister.h:
884         (JSC::VirtualRegister::VirtualRegister):
885         (): Deleted.
886
887 2018-07-17  Mark Lam  <mark.lam@apple.com>
888
889         CodeBlock::baselineVersion() should account for executables with purged codeBlocks.
890         https://bugs.webkit.org/show_bug.cgi?id=187736
891         <rdar://problem/42114371>
892
893         Reviewed by Michael Saboff.
894
895         CodeBlock::baselineVersion() currently checks for a null replacement but does not
896         account for the fact that that the replacement can also be null due to the
897         executable having being purged of its codeBlocks due to a memory event (see
898         ExecutableBase::clearCode()).  This patch adds code to account for this.
899
900         * bytecode/CodeBlock.cpp:
901         (JSC::CodeBlock::baselineVersion):
902
903 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
904
905         [JSC] UnlinkedCodeBlock::shrinkToFit miss m_constantIdentifierSets
906         https://bugs.webkit.org/show_bug.cgi?id=187709
907
908         Reviewed by Mark Lam.
909
910         UnlinkedCodeBlock::shrinkToFit accidentally misses m_constantIdentifierSets shrinking.
911
912         * bytecode/UnlinkedCodeBlock.cpp:
913         (JSC::UnlinkedCodeBlock::shrinkToFit):
914
915 2018-07-16  Yusuke Suzuki  <utatane.tea@gmail.com>
916
917         [JSC] Make SourceParseMode small
918         https://bugs.webkit.org/show_bug.cgi?id=187705
919
920         Reviewed by Mark Lam.
921
922         Each SourceParseMode is distinct. So we do not need to make it a set-style (power of 2 style).
923         Originally, this is done to make SourceParseModeSet faster because it is critical in our parser.
924         But we can keep SourceParseModeSet fast by `1U << mode | set`. And we can make SourceParseMode
925         within 5 bits. This reduces the size of UnlinkedCodeBlock from 288 to 280.
926
927         * parser/ParserModes.h:
928         (JSC::SourceParseModeSet::SourceParseModeSet):
929         (JSC::SourceParseModeSet::contains):
930         (JSC::SourceParseModeSet::mergeSourceParseModes):
931
932 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
933
934         [JSC] Generator and AsyncGeneratorMethod's prototype is incorrect
935         https://bugs.webkit.org/show_bug.cgi?id=187585
936
937         Reviewed by Darin Adler.
938
939         This patch fixes Generator and AsyncGenerator's prototype issues.
940
941         1. Generator's default prototype is incorrect when `generator.prototype = null` is performed.
942         We fix this by changing JSFunction::prototypeForConstruction.
943
944         2. AsyncGeneratorMethod is not handled. We change the name isAsyncGeneratorFunctionParseMode
945         to isAsyncGeneratorWrapperParseMode since it is aligned to Generator's code. And use it well
946         to fix `prototype` issues for AsyncGeneratorMethod.
947
948         * bytecompiler/BytecodeGenerator.cpp:
949         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
950         (JSC::BytecodeGenerator::emitNewFunction):
951         * bytecompiler/NodesCodegen.cpp:
952         (JSC::FunctionNode::emitBytecode):
953         * parser/ASTBuilder.h:
954         (JSC::ASTBuilder::createFunctionMetadata):
955         * parser/Parser.cpp:
956         (JSC::getAsynFunctionBodyParseMode):
957         (JSC::Parser<LexerType>::parseInner):
958         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
959         * parser/ParserModes.h:
960         (JSC::isAsyncGeneratorParseMode):
961         (JSC::isAsyncGeneratorWrapperParseMode):
962         (JSC::isAsyncGeneratorFunctionParseMode): Deleted.
963         * runtime/FunctionExecutable.h:
964         * runtime/JSFunction.cpp:
965         (JSC::JSFunction::prototypeForConstruction):
966         (JSC::JSFunction::getOwnPropertySlot):
967
968 2018-07-16  Mark Lam  <mark.lam@apple.com>
969
970         jsc shell's noFTL utility test function should be more robust.
971         https://bugs.webkit.org/show_bug.cgi?id=187704
972         <rdar://problem/42231988>
973
974         Reviewed by Michael Saboff and Keith Miller.
975
976         * jsc.cpp:
977         (functionNoFTL):
978         - only setNeverFTLOptimize() if the function is actually a JS function.
979
980 2018-07-15  Carlos Garcia Campos  <cgarcia@igalia.com>
981
982         [GLIB] Add API to evaluate code using a given object to store global symbols
983         https://bugs.webkit.org/show_bug.cgi?id=187639
984
985         Reviewed by Michael Catanzaro.
986
987         Add jsc_context_evaluate_in_object(). It returns a new object as an out parameter. Global symbols in the
988         evaluated script are added as properties to the new object instead of to the context global object. This is
989         similar to JS::Evaluate in spider monkey when a scopeChain parameter is passed, but JSC doesn't support using a
990         scope for assignments, so we have to create a new context and get its global object. This patch also updates
991         jsc_context_evaluate_with_source_uri() to receive the starting line number for consistency with the new
992         jsc_context_evaluate_in_object().
993
994         * API/glib/JSCContext.cpp:
995         (jsc_context_evaluate): Pass 0 as line number to jsc_context_evaluate_with_source_uri().
996         (evaluateScriptInContext): Helper function to evaluate a script in a JSGlobalContextRef.
997         (jsc_context_evaluate_with_source_uri): Use evaluateScriptInContext().
998         (jsc_context_evaluate_in_object): Create a new context and set the main context global object as extension
999         scope of it. Evaluate the script in the new context and get its global object to be returned as parameter.
1000         * API/glib/JSCContext.h:
1001         * API/glib/docs/jsc-glib-4.0-sections.txt:
1002
1003 2018-07-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1004
1005         [32bit JSC tests]  stress/cow-convert-double-to-contiguous.js and stress/cow-convert-int32-to-contiguous.js are failing
1006         https://bugs.webkit.org/show_bug.cgi?id=187561
1007
1008         Reviewed by Darin Adler.
1009
1010         This patch fixes the issue that CoW array handling is not introduced in 32bit put_by_val code.
1011         We clean up 32bit put_by_val code.
1012
1013         1. We remove inline out-of-bounds recording code since it is done in C operation code. This change
1014         aligns 32bit implementation to 64bit implementation.
1015
1016         2. We add CoW array checking, which is done in 64bit implementation.
1017
1018         * jit/JITPropertyAccess.cpp:
1019         (JSC::JIT::emit_op_put_by_val):
1020         * jit/JITPropertyAccess32_64.cpp:
1021         (JSC::JIT::emit_op_put_by_val):
1022         (JSC::JIT::emitSlow_op_put_by_val):
1023
1024 2018-07-12  Mark Lam  <mark.lam@apple.com>
1025
1026         Need to handle CodeBlock::replacement() being null.
1027         https://bugs.webkit.org/show_bug.cgi?id=187569
1028         <rdar://problem/41468692>
1029
1030         Reviewed by Saam Barati.
1031
1032         CodeBlock::replacement() may return a nullptr.  Some of our code already checks
1033         for this while others do not.  We should add null checks in all the places that
1034         need it.
1035
1036         * bytecode/CodeBlock.cpp:
1037         (JSC::CodeBlock::hasOptimizedReplacement):
1038         (JSC::CodeBlock::jettison):
1039         (JSC::CodeBlock::numberOfDFGCompiles):
1040         (JSC::CodeBlock::setOptimizationThresholdBasedOnCompilationResult):
1041         * dfg/DFGOperations.cpp:
1042         * dfg/DFGToFTLDeferredCompilationCallback.cpp:
1043         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidBecomeReadyAsynchronously):
1044         (JSC::DFG::ToFTLDeferredCompilationCallback::compilationDidComplete):
1045         * jit/JITOperations.cpp:
1046
1047 2018-07-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1048
1049         [JSC] Thread VM& to JSCell::methodTable(VM&)
1050         https://bugs.webkit.org/show_bug.cgi?id=187548
1051
1052         Reviewed by Saam Barati.
1053
1054         This patch threads VM& to methodTable(VM&) and remove methodTable().
1055         We add VM& parameter to estimatedSize() to thread VM& in estimatedSize implementations.
1056
1057         * API/APICast.h:
1058         (toJS):
1059         * API/JSCallbackObject.h:
1060         * API/JSCallbackObjectFunctions.h:
1061         (JSC::JSCallbackObject<Parent>::className):
1062         * bytecode/CodeBlock.cpp:
1063         (JSC::CodeBlock::estimatedSize):
1064         * bytecode/CodeBlock.h:
1065         * bytecode/UnlinkedCodeBlock.cpp:
1066         (JSC::UnlinkedCodeBlock::estimatedSize):
1067         * bytecode/UnlinkedCodeBlock.h:
1068         * debugger/DebuggerScope.cpp:
1069         (JSC::DebuggerScope::className):
1070         * debugger/DebuggerScope.h:
1071         * heap/Heap.cpp:
1072         (JSC::GatherHeapSnapshotData::GatherHeapSnapshotData):
1073         (JSC::GatherHeapSnapshotData::operator() const):
1074         (JSC::Heap::gatherExtraHeapSnapshotData):
1075         * heap/HeapSnapshotBuilder.cpp:
1076         (JSC::HeapSnapshotBuilder::json):
1077         * runtime/ArrayPrototype.cpp:
1078         (JSC::arrayProtoFuncToString):
1079         * runtime/ClassInfo.h:
1080         * runtime/DirectArguments.cpp:
1081         (JSC::DirectArguments::estimatedSize):
1082         * runtime/DirectArguments.h:
1083         * runtime/HashMapImpl.cpp:
1084         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
1085         * runtime/HashMapImpl.h:
1086         * runtime/JSArrayBuffer.cpp:
1087         (JSC::JSArrayBuffer::estimatedSize):
1088         * runtime/JSArrayBuffer.h:
1089         * runtime/JSBigInt.cpp:
1090         (JSC::JSBigInt::estimatedSize):
1091         * runtime/JSBigInt.h:
1092         * runtime/JSCell.cpp:
1093         (JSC::JSCell::dump const):
1094         (JSC::JSCell::estimatedSizeInBytes const):
1095         (JSC::JSCell::estimatedSize):
1096         (JSC::JSCell::className):
1097         * runtime/JSCell.h:
1098         * runtime/JSCellInlines.h:
1099         * runtime/JSGenericTypedArrayView.h:
1100         * runtime/JSGenericTypedArrayViewInlines.h:
1101         (JSC::JSGenericTypedArrayView<Adaptor>::estimatedSize):
1102         * runtime/JSObject.cpp:
1103         (JSC::JSObject::estimatedSize):
1104         (JSC::JSObject::className):
1105         (JSC::JSObject::toStringName):
1106         (JSC::JSObject::calculatedClassName):
1107         * runtime/JSObject.h:
1108         * runtime/JSProxy.cpp:
1109         (JSC::JSProxy::className):
1110         * runtime/JSProxy.h:
1111         * runtime/JSString.cpp:
1112         (JSC::JSString::estimatedSize):
1113         * runtime/JSString.h:
1114         * runtime/RegExp.cpp:
1115         (JSC::RegExp::estimatedSize):
1116         * runtime/RegExp.h:
1117         * runtime/WeakMapImpl.cpp:
1118         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1119         * runtime/WeakMapImpl.h:
1120
1121 2018-07-11  Commit Queue  <commit-queue@webkit.org>
1122
1123         Unreviewed, rolling out r233714.
1124         https://bugs.webkit.org/show_bug.cgi?id=187579
1125
1126         it made tests time out (Requested by pizlo on #webkit).
1127
1128         Reverted changeset:
1129
1130         "Change the reoptimization backoff base to 1.3 from 2"
1131         https://bugs.webkit.org/show_bug.cgi?id=187540
1132         https://trac.webkit.org/changeset/233714
1133
1134 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1135
1136         [GLIB] Add API to allow creating variadic functions
1137         https://bugs.webkit.org/show_bug.cgi?id=187517
1138
1139         Reviewed by Michael Catanzaro.
1140
1141         Add a _variadic alternate method for jsc_class_add_constructor, jsc_class_add_method and
1142         jsc_value_new_function. In that case the callback always receives a GPtrArray of JSCValue.
1143
1144         * API/glib/JSCCallbackFunction.cpp:
1145         (JSC::JSCCallbackFunction::create): Make the parameters optional.
1146         (JSC::JSCCallbackFunction::JSCCallbackFunction): Ditto.
1147         (JSC::JSCCallbackFunction::call): Handle the case of parameters being nullopt by creating a GPtrArray of
1148         JSCValue for the arguments.
1149         (JSC::JSCCallbackFunction::construct): Ditto.
1150         * API/glib/JSCCallbackFunction.h:
1151         * API/glib/JSCClass.cpp:
1152         (jscClassCreateConstructor): Make the parameters optional.
1153         (jsc_class_add_constructor_variadic): Pass nullopt as parameters to jscClassCreateConstructor.
1154         (jscClassAddMethod): Make the parameters optional.
1155         (jsc_class_add_method_variadic): Pass nullopt as parameters to jscClassAddMethod.
1156         * API/glib/JSCClass.h:
1157         * API/glib/JSCValue.cpp:
1158         (jsc_value_object_define_property_accessor): Update now that parameters are optional.
1159         (jscValueFunctionCreate): Make the parameters optional.
1160         (jsc_value_new_function_variadic): Pass nullopt as parameters to jscValueFunctionCreate.
1161         * API/glib/JSCValue.h:
1162         * API/glib/docs/jsc-glib-4.0-sections.txt:
1163
1164 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1165
1166         [GLIB] Add jsc_context_get_global_object() to GLib API
1167         https://bugs.webkit.org/show_bug.cgi?id=187515
1168
1169         Reviewed by Michael Catanzaro.
1170
1171         This wasn't exposed because we have convenient methods in JSCContext to get and set properties on the global
1172         object. However, getting the global object could be useful in some cases, for example to give it a well known
1173         name like 'window' in browsers and GJS.
1174
1175         * API/glib/JSCContext.cpp:
1176         (jsc_context_get_global_object):
1177         * API/glib/JSCContext.h:
1178         * API/glib/docs/jsc-glib-4.0-sections.txt:
1179
1180 2018-07-11  Carlos Garcia Campos  <cgarcia@igalia.com>
1181
1182         [GLIB] Handle G_TYPE_STRV in glib API
1183         https://bugs.webkit.org/show_bug.cgi?id=187512
1184
1185         Reviewed by Michael Catanzaro.
1186
1187         Add jsc_value_new_array_from_strv() and handle G_TYPE_STRV types in function parameters.
1188
1189         * API/glib/JSCContext.cpp:
1190         (jscContextGValueToJSValue):
1191         (jscContextJSValueToGValue):
1192         * API/glib/JSCValue.cpp:
1193         (jsc_value_new_array_from_strv):
1194         * API/glib/JSCValue.h:
1195         * API/glib/docs/jsc-glib-4.0-sections.txt:
1196
1197 2018-07-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1198
1199         Iterator of Array.keys() returns object in wrong order
1200         https://bugs.webkit.org/show_bug.cgi?id=185197
1201
1202         Reviewed by Keith Miller.
1203
1204         * builtins/ArrayIteratorPrototype.js:
1205         (globalPrivate.arrayIteratorValueNext):
1206         (globalPrivate.arrayIteratorKeyNext):
1207         (globalPrivate.arrayIteratorKeyValueNext):
1208         * builtins/AsyncFromSyncIteratorPrototype.js:
1209         * builtins/AsyncGeneratorPrototype.js:
1210         (globalPrivate.asyncGeneratorResolve):
1211         * builtins/GeneratorPrototype.js:
1212         (globalPrivate.generatorResume):
1213         * builtins/MapIteratorPrototype.js:
1214         (globalPrivate.mapIteratorNext):
1215         * builtins/SetIteratorPrototype.js:
1216         (globalPrivate.setIteratorNext):
1217         * builtins/StringIteratorPrototype.js:
1218         (next):
1219         * runtime/IteratorOperations.cpp:
1220         (JSC::createIteratorResultObjectStructure):
1221         (JSC::createIteratorResultObject):
1222
1223 2018-07-10  Mark Lam  <mark.lam@apple.com>
1224
1225         constructArray() should always allocate the requested length.
1226         https://bugs.webkit.org/show_bug.cgi?id=187543
1227         <rdar://problem/41947884>
1228
1229         Reviewed by Saam Barati.
1230
1231         Currently, it does not when we're having a bad time.  We fix this by switching
1232         back to using tryCreateUninitializedRestricted() exclusively in constructArray().
1233         If we detect that a structure transition is possible before we can initialize
1234         the butterfly, we'll go ahead and eagerly initialize the rest of the butterfly.
1235         We will introduce JSArray::eagerlyInitializeButterfly() to handle this.
1236
1237         Also enhanced the DisallowScope and ObjectInitializationScope to support this
1238         eager initialization when needed.
1239
1240         * dfg/DFGOperations.cpp:
1241         - the client of operationNewArrayWithSizeAndHint() (in FTL generated code) expects
1242           the array allocation to always succeed.  Adding this RELEASE_ASSERT here makes
1243           it clearer that we encountered an OutOfMemory condition instead of failing in FTL
1244           generated code, which will appear as a generic null pointer dereference.
1245
1246         * runtime/ArrayPrototype.cpp:
1247         (JSC::concatAppendOne):
1248         - the code here clearly wants to check for an allocation failure.  Switched to
1249           using JSArray::tryCreate() instead of JSArray::create().
1250
1251         * runtime/DisallowScope.h:
1252         (JSC::DisallowScope::disable):
1253         * runtime/JSArray.cpp:
1254         (JSC::JSArray::tryCreateUninitializedRestricted):
1255         (JSC::JSArray::eagerlyInitializeButterfly):
1256         (JSC::constructArray):
1257         * runtime/JSArray.h:
1258         * runtime/ObjectInitializationScope.cpp:
1259         (JSC::ObjectInitializationScope::notifyInitialized):
1260         * runtime/ObjectInitializationScope.h:
1261         (JSC::ObjectInitializationScope::notifyInitialized):
1262
1263 2018-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1264
1265         [JSC] Remove getTypedArrayImpl
1266         https://bugs.webkit.org/show_bug.cgi?id=187338
1267
1268         Reviewed by Mark Lam.
1269
1270         getTypedArrayImpl is overridden only by typed arrays and DataView. Since the number of these classes
1271         are limited, we do not need to add this function to MethodTable: dispatching it in JSArrayBufferView is fine.
1272         This patch removes getTypedArrayImpl from MethodTable, and moves it to JSArrayBufferView.
1273
1274         * runtime/ClassInfo.h:
1275         * runtime/GenericTypedArrayView.h:
1276         (JSC::GenericTypedArrayView::data const): Deleted.
1277         (JSC::GenericTypedArrayView::set): Deleted.
1278         (JSC::GenericTypedArrayView::setRange): Deleted.
1279         (JSC::GenericTypedArrayView::zeroRange): Deleted.
1280         (JSC::GenericTypedArrayView::zeroFill): Deleted.
1281         (JSC::GenericTypedArrayView::length const): Deleted.
1282         (JSC::GenericTypedArrayView::item const): Deleted.
1283         (JSC::GenericTypedArrayView::set const): Deleted.
1284         (JSC::GenericTypedArrayView::setNative const): Deleted.
1285         (JSC::GenericTypedArrayView::getRange): Deleted.
1286         (JSC::GenericTypedArrayView::checkInboundData const): Deleted.
1287         (JSC::GenericTypedArrayView::internalByteLength const): Deleted.
1288         * runtime/JSArrayBufferView.cpp:
1289         (JSC::JSArrayBufferView::possiblySharedImpl):
1290         * runtime/JSArrayBufferView.h:
1291         * runtime/JSArrayBufferViewInlines.h:
1292         (JSC::JSArrayBufferView::possiblySharedImpl): Deleted.
1293         * runtime/JSCell.cpp:
1294         (JSC::JSCell::getTypedArrayImpl): Deleted.
1295         * runtime/JSCell.h:
1296         * runtime/JSDataView.cpp:
1297         (JSC::JSDataView::getTypedArrayImpl): Deleted.
1298         * runtime/JSDataView.h:
1299         * runtime/JSGenericTypedArrayView.h:
1300         * runtime/JSGenericTypedArrayViewInlines.h:
1301         (JSC::JSGenericTypedArrayView<Adaptor>::getTypedArrayImpl): Deleted.
1302
1303 2018-07-10  Keith Miller  <keith_miller@apple.com>
1304
1305         hasOwnProperty returns true for out of bounds property index on TypedArray
1306         https://bugs.webkit.org/show_bug.cgi?id=187520
1307
1308         Reviewed by Saam Barati.
1309
1310         * runtime/JSGenericTypedArrayViewInlines.h:
1311         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlot):
1312
1313 2018-07-10  Michael Saboff  <msaboff@apple.com>
1314
1315         DFG JIT: compileMathIC produces incorrect machine code
1316         https://bugs.webkit.org/show_bug.cgi?id=187537
1317
1318         Reviewed by Saam Barati.
1319
1320         Added checks for constant multipliers in JITMulGenerator::generateInline().  If we have a constant multiplier,
1321         fall back to the fast path generator which handles such cases.
1322
1323         * jit/JITMulGenerator.cpp:
1324         (JSC::JITMulGenerator::generateInline):
1325
1326 2018-07-10  Filip Pizlo  <fpizlo@apple.com>
1327
1328         Change the reoptimization backoff base to 1.3 from 2
1329         https://bugs.webkit.org/show_bug.cgi?id=187540
1330
1331         Reviewed by Saam Barati.
1332         
1333         I have data that hints at this being a speed-up on JetStream, ARES-6, and Speedometer2.
1334         
1335         I also have data that hints that a backoff base of 1 might be even better, but I think that
1336         we want to keep *some* backoff in case we find ourselves in an unmitigated recomp loop.
1337
1338         * bytecode/CodeBlock.cpp:
1339         (JSC::CodeBlock::reoptimizationRetryCounter const):
1340         (JSC::CodeBlock::countReoptimization):
1341         (JSC::CodeBlock::adjustedCounterValue):
1342         * runtime/Options.cpp:
1343         (JSC::recomputeDependentOptions):
1344         * runtime/Options.h:
1345
1346 2018-07-10  Mark Lam  <mark.lam@apple.com>
1347
1348         [32-bit JSC tests] ASSERTION FAILED: !butterfly->propertyStorage()[-I - 1].get() under JSC::ObjectInitializationScope::verifyPropertiesAreInitialized.
1349         https://bugs.webkit.org/show_bug.cgi?id=187362
1350         <rdar://problem/42027210>
1351
1352         Reviewed by Saam Barati.
1353
1354         On 32-bit targets, a 0 valued JSValue is not the empty JSValue, but it is a valid
1355         value to use for initializing unused properties.  Updated an assertion to account
1356         for this.
1357
1358         * runtime/ObjectInitializationScope.cpp:
1359         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
1360
1361 2018-07-10  Michael Saboff  <msaboff@apple.com>
1362
1363         YARR: . doesn't match non-BMP Unicode characters in some cases
1364         https://bugs.webkit.org/show_bug.cgi?id=187248
1365
1366         Reviewed by Geoffrey Garen.
1367
1368         The safety check in optimizeAlternative() for moving character classes that only consist of BMP
1369         characters did not take into account that the character class is inverted.  In this case, we
1370         represent '.' as "not a newline" using the newline character class with an inverted check.
1371         Clearly that includes non-BMP characters.
1372
1373         The fix is to check that the character class doesn't have non-BMP characters AND it isn't an
1374         inverted use of that character class.
1375
1376         * yarr/YarrJIT.cpp:
1377         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1378
1379 2018-07-09  Mark Lam  <mark.lam@apple.com>
1380
1381         Add --traceLLIntExecution and --traceLLIntSlowPath options.
1382         https://bugs.webkit.org/show_bug.cgi?id=187479
1383
1384         Reviewed by Yusuke Suzuki and Saam Barati.
1385
1386         These options are only available if LLINT_TRACING is enabled in LLIntCommon.h.
1387
1388         The details:
1389         1. LLINT_TRACING consolidates and replaces LLINT_EXECUTION_TRACING and LLINT_SLOW_PATH_TRACING.
1390         2. Tracing is now guarded behind runtime options --traceLLIntExecution and --traceLLIntSlowPath.
1391            This makes it such that enabling LLINT_TRACING doesn't means that we'll
1392            continually spammed with logging until we rebuild.
1393         3. Fixed slow path LLINT tracing to work with exception check validation.
1394
1395         * llint/LLIntCommon.h:
1396         * llint/LLIntExceptions.cpp:
1397         (JSC::LLInt::returnToThrow):
1398         (JSC::LLInt::callToThrow):
1399         * llint/LLIntOfflineAsmConfig.h:
1400         * llint/LLIntSlowPaths.cpp:
1401         (JSC::LLInt::slowPathLog):
1402         (JSC::LLInt::slowPathLn):
1403         (JSC::LLInt::slowPathLogF):
1404         (JSC::LLInt::slowPathLogLn):
1405         (JSC::LLInt::llint_trace_operand):
1406         (JSC::LLInt::llint_trace_value):
1407         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1408         (JSC::LLInt::traceFunctionPrologue):
1409         (JSC::LLInt::handleHostCall):
1410         (JSC::LLInt::setUpCall):
1411         * llint/LLIntSlowPaths.h:
1412         * llint/LowLevelInterpreter.asm:
1413         * runtime/CommonSlowPathsExceptions.cpp:
1414         (JSC::CommonSlowPaths::interpreterThrowInCaller):
1415         * runtime/Options.cpp:
1416         (JSC::Options::isAvailable):
1417         * runtime/Options.h:
1418
1419 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1420
1421         [JSC] Embed RegExp into constant buffer in UnlinkedCodeBlock and CodeBlock
1422         https://bugs.webkit.org/show_bug.cgi?id=187477
1423
1424         Reviewed by Mark Lam.
1425
1426         Before this patch, RegExp* is specially held in m_regexp buffer which resides in CodeBlock's RareData.
1427         However, it is not necessary since JSCells can be reside in a constant buffer.
1428         This patch embeds RegExp* to a constant buffer in UnlinkedCodeBlock and CodeBlock. And remove RegExp
1429         vector from RareData.
1430
1431         We also move the code of dumping RegExp from BytecodeDumper to RegExp::dumpToStream.
1432
1433         * bytecode/BytecodeDumper.cpp:
1434         (JSC::BytecodeDumper<Block>::dumpBytecode):
1435         (JSC::BytecodeDumper<Block>::dumpBlock):
1436         (JSC::regexpToSourceString): Deleted.
1437         (JSC::regexpName): Deleted.
1438         (JSC::BytecodeDumper<Block>::dumpRegExps): Deleted.
1439         * bytecode/BytecodeDumper.h:
1440         * bytecode/CodeBlock.h:
1441         (JSC::CodeBlock::regexp const): Deleted.
1442         (JSC::CodeBlock::numberOfRegExps const): Deleted.
1443         * bytecode/UnlinkedCodeBlock.cpp:
1444         (JSC::UnlinkedCodeBlock::visitChildren):
1445         (JSC::UnlinkedCodeBlock::shrinkToFit):
1446         * bytecode/UnlinkedCodeBlock.h:
1447         (JSC::UnlinkedCodeBlock::addRegExp): Deleted.
1448         (JSC::UnlinkedCodeBlock::numberOfRegExps const): Deleted.
1449         (JSC::UnlinkedCodeBlock::regexp const): Deleted.
1450         * bytecompiler/BytecodeGenerator.cpp:
1451         (JSC::BytecodeGenerator::emitNewRegExp):
1452         (JSC::BytecodeGenerator::addRegExp): Deleted.
1453         * bytecompiler/BytecodeGenerator.h:
1454         * dfg/DFGByteCodeParser.cpp:
1455         (JSC::DFG::ByteCodeParser::parseBlock):
1456         * jit/JITOpcodes.cpp:
1457         (JSC::JIT::emit_op_new_regexp):
1458         * llint/LLIntSlowPaths.cpp:
1459         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1460         * runtime/JSCJSValue.cpp:
1461         (JSC::JSValue::dumpInContextAssumingStructure const):
1462         * runtime/RegExp.cpp:
1463         (JSC::regexpToSourceString):
1464         (JSC::RegExp::dumpToStream):
1465         * runtime/RegExp.h:
1466
1467 2018-07-09  Brian Burg  <bburg@apple.com>
1468
1469         REGRESSION: Web Inspector no longer pauses in internal injected scripts like WDFindNodes.js
1470         https://bugs.webkit.org/show_bug.cgi?id=187350
1471         <rdar://problem/41728249>
1472
1473         Reviewed by Matt Baker.
1474
1475         Add a new command that toggles whether or not to blackbox internal scripts.
1476         If blackboxed, the scripts will not be shown to the frontend and the debugger will
1477         not pause in source frames from blackboxed scripts. Sometimes we want to break into
1478         those scripts when debugging Web Inspector, WebDriver, or other WebKit-internal code
1479         that injects scripts.
1480
1481         * inspector/agents/InspectorDebuggerAgent.cpp:
1482         (Inspector::InspectorDebuggerAgent::setPauseForInternalScripts):
1483         (Inspector::InspectorDebuggerAgent::didParseSource):
1484         * inspector/agents/InspectorDebuggerAgent.h:
1485         * inspector/protocol/Debugger.json:
1486
1487 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1488
1489         [JSC] Make some data members of UnlinkedCodeBlock private
1490         https://bugs.webkit.org/show_bug.cgi?id=187467
1491
1492         Reviewed by Mark Lam.
1493
1494         This patch makes m_numVars, m_numCalleeLocals, and m_numParameters of UnlinkedCodeBlock private.
1495         We also remove m_numCapturedVars since it is no longer used.
1496
1497         * bytecode/CodeBlock.cpp:
1498         (JSC::CodeBlock::CodeBlock):
1499         * bytecode/CodeBlock.h:
1500         * bytecode/UnlinkedCodeBlock.cpp:
1501         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1502         * bytecode/UnlinkedCodeBlock.h:
1503
1504 2018-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1505
1506         [JSC] Optimize layout of AccessCase / ProxyableAccessCase to reduce size of ProxyableAccessCase
1507         https://bugs.webkit.org/show_bug.cgi?id=187465
1508
1509         Reviewed by Keith Miller.
1510
1511         ProxyableAccessCase is allocated so frequently and it is persisted so long. Reducing the size
1512         of ProxyableAccessCase can reduce the footprint of many web sites including nytimes.com.
1513
1514         This patch uses a bit complicated layout to reduce ProxyableAccessCase. We add unused bool member
1515         in AccessCase's padding, and use it in ProxyableAccessCase. By doing so, we can reduce the size
1516         of ProxyableAccessCase from 56 to 48. And it also reduces the size of GetterSetterAccessCase
1517         from 104 to 96 since it inherits ProxyableAccessCase.
1518
1519         * bytecode/AccessCase.h:
1520         (JSC::AccessCase::viaProxy const):
1521         (JSC::AccessCase::AccessCase):
1522         * bytecode/ProxyableAccessCase.cpp:
1523         (JSC::ProxyableAccessCase::ProxyableAccessCase):
1524         * bytecode/ProxyableAccessCase.h:
1525
1526 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1527
1528         Unreviewed, build fix for debug builds after r233630
1529         https://bugs.webkit.org/show_bug.cgi?id=187441
1530
1531         * jit/JIT.cpp:
1532         (JSC::JIT::frameRegisterCountFor):
1533         * llint/LLIntEntrypoint.cpp:
1534         (JSC::LLInt::frameRegisterCountFor):
1535
1536 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1537
1538         [JSC] Optimize layout of CodeBlock to reduce padding
1539         https://bugs.webkit.org/show_bug.cgi?id=187441
1540
1541         Reviewed by Mark Lam.
1542
1543         Arrange the order of members to reduce the size of CodeBlock from 552 to 544.
1544         We also make SourceCodeRepresentation 1 byte since CodeBlock has a vector of this,
1545         Vector<SourceCodeRepresentation> m_constantsSourceCodeRepresentation.
1546
1547         We also move m_numCalleeLocals and m_numVars from `public` to `private` in CodeBlock.
1548
1549         * bytecode/BytecodeDumper.cpp:
1550         (JSC::BytecodeDumper<Block>::dumpBlock):
1551         * bytecode/BytecodeUseDef.h:
1552         (JSC::computeDefsForBytecodeOffset):
1553         * bytecode/CodeBlock.cpp:
1554         (JSC::CodeBlock::CodeBlock):
1555         * bytecode/CodeBlock.h:
1556         (JSC::CodeBlock::numVars const):
1557         * bytecode/UnlinkedCodeBlock.h:
1558         (JSC::UnlinkedCodeBlock::numVars const):
1559         * dfg/DFGByteCodeParser.cpp:
1560         (JSC::DFG::ByteCodeParser::ByteCodeParser):
1561         (JSC::DFG::ByteCodeParser::flushForTerminalImpl):
1562         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1563         (JSC::DFG::ByteCodeParser::inlineCall):
1564         (JSC::DFG::ByteCodeParser::handleGetById):
1565         (JSC::DFG::ByteCodeParser::handlePutById):
1566         (JSC::DFG::ByteCodeParser::parseBlock):
1567         * dfg/DFGGraph.h:
1568         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
1569         * dfg/DFGOSREntrypointCreationPhase.cpp:
1570         (JSC::DFG::OSREntrypointCreationPhase::run):
1571         * dfg/DFGVariableEventStream.cpp:
1572         (JSC::DFG::VariableEventStream::reconstruct const):
1573         * ftl/FTLOSREntry.cpp:
1574         (JSC::FTL::prepareOSREntry):
1575         * ftl/FTLState.cpp:
1576         (JSC::FTL::State::State):
1577         * interpreter/Interpreter.cpp:
1578         (JSC::Interpreter::dumpRegisters):
1579         * jit/JIT.cpp:
1580         (JSC::JIT::frameRegisterCountFor):
1581         * jit/JITOpcodes.cpp:
1582         (JSC::JIT::emit_op_enter):
1583         * jit/JITOpcodes32_64.cpp:
1584         (JSC::JIT::emit_op_enter):
1585         * jit/JITOperations.cpp:
1586         * llint/LLIntEntrypoint.cpp:
1587         (JSC::LLInt::frameRegisterCountFor):
1588         * llint/LLIntSlowPaths.cpp:
1589         (JSC::LLInt::traceFunctionPrologue):
1590         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1591         * runtime/JSCJSValue.h:
1592
1593 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1594
1595         [JSC] Optimize padding of UnlinkedCodeBlock to shrink
1596         https://bugs.webkit.org/show_bug.cgi?id=187448
1597
1598         Reviewed by Saam Barati.
1599
1600         We optimize the size of CodeType and TriState. And we arrange the layout of UnlinkedCodeBlock.
1601         These optimizations reduce the size of UnlinkedCodeBlock from 304 to 288.
1602
1603         * bytecode/CodeType.h:
1604         * bytecode/UnlinkedCodeBlock.cpp:
1605         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1606         * bytecode/UnlinkedCodeBlock.h:
1607         (JSC::UnlinkedCodeBlock::codeType const):
1608         (JSC::UnlinkedCodeBlock::didOptimize const):
1609         (JSC::UnlinkedCodeBlock::setDidOptimize):
1610         * bytecode/VirtualRegister.h:
1611
1612 2018-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1613
1614         [JSC] Optimize padding of InferredTypeTable by using cellLock
1615         https://bugs.webkit.org/show_bug.cgi?id=187447
1616
1617         Reviewed by Mark Lam.
1618
1619         Use cellLock() in InferredTypeTable to guard changes of internal structures.
1620         This is the same usage to SparseArrayValueMap. By using cellLock(), we can
1621         reduce the size of InferredTypeTable from 40 to 32.
1622
1623         * runtime/InferredTypeTable.cpp:
1624         (JSC::InferredTypeTable::visitChildren):
1625         (JSC::InferredTypeTable::get):
1626         (JSC::InferredTypeTable::willStoreValue):
1627         (JSC::InferredTypeTable::makeTop):
1628         * runtime/InferredTypeTable.h:
1629         Using enum class and using. And remove `isEmpty()` since it is not used.
1630
1631         * runtime/Structure.h:
1632
1633 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1634
1635         [JSC] Optimize layout of SourceProvider to reduce padding
1636         https://bugs.webkit.org/show_bug.cgi?id=187440
1637
1638         Reviewed by Mark Lam.
1639
1640         Arrange members of SourceProvider to reduce the size from 80 to 72.
1641
1642         * parser/SourceProvider.cpp:
1643         (JSC::SourceProvider::SourceProvider):
1644         * parser/SourceProvider.h:
1645
1646 2018-07-08  Mark Lam  <mark.lam@apple.com>
1647
1648         PropertyTable::skipDeletedEntries() should guard against iterating past the table end.
1649         https://bugs.webkit.org/show_bug.cgi?id=187444
1650         <rdar://problem/41282849>
1651
1652         Reviewed by Saam Barati.
1653
1654         PropertyTable supports C++ iteration by offering begin() and end() methods, and
1655         an iterator class.  The begin() methods and the iterator operator++() method uses
1656         PropertyTable::skipDeletedEntries() to skip over deleted entries in the table.
1657         However, PropertyTable::skipDeletedEntries() does not prevent the iteration
1658         pointer from being incremented past the end of the table.  As a result, we can
1659         iterate past the end of the table.  Note that the C++ iteration protocol tests
1660         for the iterator not being equal to the end() value.  It does not do a <= test.
1661         If the iterator ever shoots past end, the loop will effectively not terminate.
1662
1663         This issue can manifest if and only if the last entry in the table is a deleted
1664         one, and the key field of the PropertyMapEntry shaped space at the end of the
1665         table (the one beyond the last) contains a 1 (i.e. PROPERTY_MAP_DELETED_ENTRY_KEY)
1666         value.
1667
1668         No test because manifesting this issue requires uncontrollable happenstance where
1669         memory just beyond the end of the table looks like a deleted entry.
1670
1671         * runtime/PropertyMapHashTable.h:
1672         (JSC::PropertyTable::begin):
1673         (JSC::PropertyTable::end):
1674         (JSC::PropertyTable::begin const):
1675         (JSC::PropertyTable::end const):
1676         (JSC::PropertyTable::skipDeletedEntries):
1677
1678 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1679
1680         [JSC] Optimize layout of SymbolTable to reduce padding
1681         https://bugs.webkit.org/show_bug.cgi?id=187437
1682
1683         Reviewed by Mark Lam.
1684
1685         Arrange the layout of SymbolTable to reduce the size from 88 to 72.
1686
1687         * runtime/SymbolTable.h:
1688
1689 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1690
1691         [JSC] Optimize layout of RegExp to reduce padding
1692         https://bugs.webkit.org/show_bug.cgi?id=187438
1693
1694         Reviewed by Mark Lam.
1695
1696         Reduce the size of RegExp from 168 to 144.
1697
1698         * runtime/RegExp.cpp:
1699         (JSC::RegExp::RegExp):
1700         * runtime/RegExp.h:
1701         * runtime/RegExpKey.h:
1702         * yarr/YarrErrorCode.h:
1703
1704 2018-07-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1705
1706         [JSC] Optimize layout of ValueProfile to reduce padding
1707         https://bugs.webkit.org/show_bug.cgi?id=187439
1708
1709         Reviewed by Mark Lam.
1710
1711         Reduce the size of ValueProfile from 40 to 32 by reordering members.
1712
1713         * bytecode/ValueProfile.h:
1714         (JSC::ValueProfileBase::ValueProfileBase):
1715
1716 2018-07-05  Saam Barati  <sbarati@apple.com>
1717
1718         ProgramExecutable may be collected as we checkSyntax on it
1719         https://bugs.webkit.org/show_bug.cgi?id=187359
1720         <rdar://problem/41832135>
1721
1722         Reviewed by Mark Lam.
1723
1724         The bug was we were passing in a reference to the SourceCode field on ProgramExecutable as
1725         the ProgramExecutable itself may be collected. The fix here is to make a copy
1726         of the field instead of passing in a reference inside of ParserError::toErrorObject.
1727         
1728         No new tests here as this was already caught by our iOS JSC testers.
1729
1730         * parser/ParserError.h:
1731         (JSC::ParserError::toErrorObject):
1732
1733 2018-07-04  Tim Horton  <timothy_horton@apple.com>
1734
1735         Introduce PLATFORM(IOSMAC)
1736         https://bugs.webkit.org/show_bug.cgi?id=187315
1737
1738         Reviewed by Dan Bernstein.
1739
1740         * Configurations/Base.xcconfig:
1741         * Configurations/FeatureDefines.xcconfig:
1742
1743 2018-07-03  Mark Lam  <mark.lam@apple.com>
1744
1745         [32-bit JSC tests] ASSERTION FAILED: !getDirect(offset) || !JSValue::encode(getDirect(offset)).
1746         https://bugs.webkit.org/show_bug.cgi?id=187255
1747         <rdar://problem/41785257>
1748
1749         Reviewed by Saam Barati.
1750
1751         The 32-bit JIT::emit_op_create_this() needs to initialize uninitialized properties
1752         too: basically, do what the 64-bit code is doing.  At present, this change only
1753         serves to pacify an assertion.  It is not needed for correctness because the
1754         concurrent GC is not used on 32-bit builds.
1755
1756         This issue is already covered by the slowMicrobenchmarks/rest-parameter-allocation-elimination.js
1757         test.
1758
1759         * jit/JITOpcodes32_64.cpp:
1760         (JSC::JIT::emit_op_create_this):
1761
1762 2018-07-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1763
1764         [JSC] Move slowDownAndWasteMemory function to JSArrayBufferView
1765         https://bugs.webkit.org/show_bug.cgi?id=187290
1766
1767         Reviewed by Saam Barati.
1768
1769         slowDownAndWasteMemory is just overridden by typed arrays. Since they are limited,
1770         we do not need to add this function to MethodTable: just dispatching it in JSArrayBufferView
1771         is fine. And slowDownAndWasteMemory only requires the sizeof(element), which can be
1772         easily calculated from JSType.
1773         This patch removes slowDownAndWasteMemory from MethodTable, and moves it to JSArrayBufferView.
1774
1775         * runtime/ClassInfo.h:
1776         * runtime/JSArrayBufferView.cpp:
1777         (JSC::elementSize):
1778         (JSC::JSArrayBufferView::slowDownAndWasteMemory):
1779         * runtime/JSArrayBufferView.h:
1780         * runtime/JSArrayBufferViewInlines.h:
1781         (JSC::JSArrayBufferView::possiblySharedBuffer):
1782         * runtime/JSCell.cpp:
1783         (JSC::JSCell::slowDownAndWasteMemory): Deleted.
1784         * runtime/JSCell.h:
1785         * runtime/JSDataView.cpp:
1786         (JSC::JSDataView::slowDownAndWasteMemory): Deleted.
1787         * runtime/JSDataView.h:
1788         * runtime/JSGenericTypedArrayView.h:
1789         * runtime/JSGenericTypedArrayViewInlines.h:
1790         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory): Deleted.
1791
1792 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1793
1794         Regular expressions with ".?" expressions at the start and the end match the entire string
1795         https://bugs.webkit.org/show_bug.cgi?id=119191
1796
1797         Reviewed by Michael Saboff.
1798
1799         r90962 optimized regular expressions in the form of /.*abc.*/ by looking
1800         for "abc" first and then processing the leading and trailing dot stars
1801         to find the beginning and the end of the match. However, it erroneously
1802         enabled this optimization for regular expressions whose leading or
1803         trailing dots had quantifiers that were not of arbitrary length, e.g.,
1804         /.?abc.*/, /.*abc.?/, /.{0,4}abc.*/, etc. This caused the expression to
1805         match the entire string when it shouldn't. This patch disables the
1806         optimization for those cases.
1807
1808         * yarr/YarrPattern.cpp:
1809         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1810
1811 2018-07-02  Sukolsak Sakshuwong  <sukolsak@gmail.com>
1812
1813         RegExp.exec returns wrong value with a long integer quantifier
1814         https://bugs.webkit.org/show_bug.cgi?id=187042
1815
1816         Reviewed by Saam Barati.
1817
1818         Prior to this patch, the Yarr parser checked for integer overflow when
1819         parsing quantifiers in regular expressions by adding one digit at a time
1820         to a number and checking if the result got larger. This is wrong;
1821         The parser would fail to detect overflow when parsing, for example,
1822         10,000,000,003 because (1000000000*10 + 3) % (2^32) = 1410065411 > 1000000000.
1823
1824         Another issue was that once it detected overflow, it stopped consuming
1825         the remaining digits. Since it didn't find the closing bracket, it
1826         parsed the quantifier as a normal string instead.
1827
1828         This patch fixes these issues by reading all the digits and checking for
1829         overflow with Checked<unsigned, RecordOverflow>. If it overflows, it
1830         returns the largest possible value (quantifyInfinite in this case). This
1831         matches Chrome [1], Firefox [2], and Edge [3].
1832
1833         [1] https://chromium.googlesource.com/v8/v8.git/+/23222f0a88599dcf302ccf395883944620b70fd5/src/regexp/regexp-parser.cc#1042
1834         [2] https://dxr.mozilla.org/mozilla-central/rev/aea3f3457f1531706923b8d4c595a1f271de83da/js/src/irregexp/RegExpParser.cpp#1310
1835         [3] https://github.com/Microsoft/ChakraCore/blob/fc08987381da141bb686b5d0c71d75da96f9eb8a/lib/Parser/RegexParser.cpp#L1149
1836
1837         * yarr/YarrParser.h:
1838         (JSC::Yarr::Parser::consumeNumber):
1839
1840 2018-07-02  Keith Miller  <keith_miller@apple.com>
1841
1842         InstanceOf IC should do generic if the prototype is not an object.
1843         https://bugs.webkit.org/show_bug.cgi?id=187250
1844
1845         Reviewed by Mark Lam.
1846
1847         The old code was wrong for two reasons. First, the AccessCase expected that
1848         the prototype value would be non-null. Second, we would end up returning
1849         false instead of throwing an exception.
1850
1851         * jit/Repatch.cpp:
1852         (JSC::tryCacheInstanceOf):
1853
1854 2018-07-01  Mark Lam  <mark.lam@apple.com>
1855
1856         Builtins and host functions should get their own structures.
1857         https://bugs.webkit.org/show_bug.cgi?id=187211
1858         <rdar://problem/41646336>
1859
1860         Reviewed by Saam Barati.
1861
1862         JSFunctions do lazy reification of properties, but ordinary functions applies
1863         different rules of property reification than builtin and host functions.  Hence,
1864         we should give builtins and host functions their own structures.
1865
1866         * runtime/JSFunction.cpp:
1867         (JSC::JSFunction::selectStructureForNewFuncExp):
1868         (JSC::JSFunction::create):
1869         (JSC::JSFunction::getOwnPropertySlot):
1870         * runtime/JSGlobalObject.cpp:
1871         (JSC::JSGlobalObject::init):
1872         (JSC::JSGlobalObject::visitChildren):
1873         * runtime/JSGlobalObject.h:
1874         (JSC::JSGlobalObject::hostFunctionStructure const):
1875         (JSC::JSGlobalObject::arrowFunctionStructure const):
1876         (JSC::JSGlobalObject::sloppyFunctionStructure const):
1877         (JSC::JSGlobalObject::strictFunctionStructure const):
1878
1879 2018-07-01  David Kilzer  <ddkilzer@apple.com>
1880
1881         JavaScriptCore: Fix clang static analyzer warnings: Assigned value is garbage or undefined
1882         <https://webkit.org/b/187233>
1883
1884         Reviewed by Mark Lam.
1885
1886         * b3/air/AirEliminateDeadCode.cpp:
1887         (JSC::B3::Air::eliminateDeadCode): Initialize `changed`.
1888         * parser/ParserTokens.h:
1889         (JSC::JSTextPosition::JSTextPosition): Add struct member
1890         initialization. Simplify default constructor.
1891         (JSC::JSTokenLocation::JSTokenData): Move largest struct in the
1892         union to the beginning to make it easy to zero out all fields.
1893         (JSC::JSTokenLocation::JSTokenLocation): Add struct member
1894         initialization.  Simplify default constructor.  Note that
1895         `endOffset` was not being initialized previously.
1896         (JSC::JSTextPosition::JSToken): Add struct member initialization
1897         where necessary.
1898         * runtime/IntlObject.cpp:
1899         (JSC::MatcherResult): Add struct member initialization.
1900
1901 2018-06-23  Darin Adler  <darin@apple.com>
1902
1903         [Cocoa] Improve ARC compatibility of more code in JavaScriptCore
1904         https://bugs.webkit.org/show_bug.cgi?id=186973
1905
1906         Reviewed by Dan Bernstein.
1907
1908         * API/JSContext.mm:
1909         (WeakContextRef::WeakContextRef): Deleted.
1910         (WeakContextRef::~WeakContextRef): Deleted.
1911         (WeakContextRef::get): Deleted.
1912         (WeakContextRef::set): Deleted.
1913
1914         * API/JSContextInternal.h: Removed unneeded header guards since this is
1915         an Objective-C++ header. Removed unused WeakContextRef class. Removed declaration
1916         of method -[JSContext initWithGlobalContextRef:] and JSContext property wrapperMap
1917         since neither is used outside the class implementation.
1918
1919         * API/JSManagedValue.mm:
1920         (-[JSManagedValue initWithValue:]): Use a bridging cast.
1921         (-[JSManagedValue dealloc]): Ditto.
1922         (-[JSManagedValue didAddOwner:]): Ditto.
1923         (-[JSManagedValue didRemoveOwner:]): Ditto.
1924         (JSManagedValueHandleOwner::isReachableFromOpaqueRoots): Ditto.
1925         (JSManagedValueHandleOwner::finalize): Ditto.
1926         * API/JSValue.mm:
1927         (+[JSValue valueWithNewRegularExpressionFromPattern:flags:inContext:]): Ditto.
1928         (+[JSValue valueWithNewErrorFromMessage:inContext:]): Ditto.
1929         (-[JSValue valueForProperty:]): Ditto.
1930         (-[JSValue setValue:forProperty:]): Ditto.
1931         (-[JSValue deleteProperty:]): Ditto.
1932         (-[JSValue hasProperty:]): Ditto.
1933         (-[JSValue invokeMethod:withArguments:]): Ditto.
1934         (valueToObjectWithoutCopy): Ditto. Also removed unneeded explicit type names.
1935         (valueToArray): Ditto.
1936         (valueToDictionary): Ditto.
1937         (objectToValueWithoutCopy): Ditto.
1938         (objectToValue): Ditto.
1939         * API/JSVirtualMachine.mm:
1940         (+[JSVMWrapperCache addWrapper:forJSContextGroupRef:]): Ditto.
1941         (+[JSVMWrapperCache wrapperForJSContextGroupRef:]): Ditto.
1942         (-[JSVirtualMachine isOldExternalObject:]): Ditto.
1943         (-[JSVirtualMachine addManagedReference:withOwner:]): Ditto.
1944         (-[JSVirtualMachine removeManagedReference:withOwner:]): Ditto.
1945         (-[JSVirtualMachine contextForGlobalContextRef:]): Ditto.
1946         (-[JSVirtualMachine addContext:forGlobalContextRef:]): Ditto.
1947         (scanExternalObjectGraph): Ditto.
1948         (scanExternalRememberedSet): Ditto.
1949         * API/JSWrapperMap.mm:
1950         (makeWrapper): Ditto.
1951         (-[JSObjCClassInfo wrapperForObject:inContext:]): Ditto.
1952         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]): Ditto.
1953         (tryUnwrapObjcObject): Ditto.
1954         * API/ObjCCallbackFunction.mm:
1955         (blockSignatureContainsClass): Ditto.
1956         (objCCallbackFunctionForMethod): Switched from retain to CFRetain, but not
1957         sure we will be keeping this the same way under ARC.
1958         (objCCallbackFunctionForBlock): Use a bridging cast.
1959
1960         * API/ObjcRuntimeExtras.h:
1961         (protocolImplementsProtocol): Use a more specific type that includes the
1962         explicit __unsafe_unretained for copied protocol lists.
1963         (forEachProtocolImplementingProtocol): Ditto.
1964
1965         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1966         (Inspector::convertNSNullToNil): Added to replace the CONVERT_NSNULL_TO_NIL macro.
1967         (Inspector::RemoteInspector::receivedSetupMessage): Use convertNSNullToNil.
1968
1969         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm: Moved the
1970         CFXPCBridge SPI to a header named CFXPCBridgeSPI.h.
1971         (auditTokenHasEntitlement): Deleted. Moved to Entitlements.h/cpp in WTF.
1972         (Inspector::RemoteInspectorXPCConnection::handleEvent): Use WTF::hasEntitlement.
1973         (Inspector::RemoteInspectorXPCConnection::sendMessage): Use a bridging cast.
1974
1975 2018-06-30  Adam Barth  <abarth@webkit.org>
1976
1977         Port JavaScriptCore to OS(FUCHSIA)
1978         https://bugs.webkit.org/show_bug.cgi?id=187223
1979
1980         Reviewed by Daniel Bates.
1981
1982         * assembler/ARM64Assembler.h:
1983         (JSC::ARM64Assembler::cacheFlush): Call zx_cache_flush to flush cache.
1984         * runtime/MachineContext.h: Fuchsia has the same mcontext_t as glibc.
1985         (JSC::MachineContext::stackPointerImpl):
1986         (JSC::MachineContext::framePointerImpl):
1987         (JSC::MachineContext::instructionPointerImpl):
1988         (JSC::MachineContext::argumentPointer<1>):
1989         (JSC::MachineContext::llintInstructionPointer):
1990
1991 2018-06-30  David Kilzer  <ddkilzer@apple.com>
1992
1993         Fix clang static analyzer warnings: Garbage return value
1994         <https://webkit.org/b/187224>
1995
1996         Reviewed by Eric Carlson.
1997
1998         * bytecode/UnlinkedCodeBlock.cpp:
1999         (JSC::UnlinkedCodeBlock::lineNumberForBytecodeOffset):
2000         - Use brace initialization for local variables.
2001         * debugger/DebuggerCallFrame.cpp:
2002         (class JSC::LineAndColumnFunctor):
2003         - Use class member initialization for member variables.
2004
2005 2018-06-29  Saam Barati  <sbarati@apple.com>
2006
2007         Unreviewed. Try to fix Windows build after r233377
2008
2009         * builtins/BuiltinExecutables.cpp:
2010         (JSC::BuiltinExecutables::createExecutable):
2011
2012 2018-06-29  Saam Barati  <sbarati@apple.com>
2013
2014         Don't use tracePoints in JS/Wasm entry
2015         https://bugs.webkit.org/show_bug.cgi?id=187196
2016
2017         Reviewed by Mark Lam.
2018
2019         This puts VM entry and Wasm entry tracePoints behind a runtime
2020         option. This is a ~4x speedup on a soon to be released Wasm
2021         benchmark. tracePoints should basically never run more than 50
2022         times a second. Entering the VM and entering Wasm are user controlled,
2023         and can happen hundreds of thousands of times in a second. Depending
2024         on how the Wasm/JS code is structured, this can be disastrous for
2025         performance.
2026
2027         * runtime/Options.h:
2028         * runtime/VMEntryScope.cpp:
2029         (JSC::VMEntryScope::VMEntryScope):
2030         (JSC::VMEntryScope::~VMEntryScope):
2031         * wasm/WasmBBQPlan.cpp:
2032         (JSC::Wasm::BBQPlan::compileFunctions):
2033         * wasm/js/WebAssemblyFunction.cpp:
2034         (JSC::callWebAssemblyFunction):
2035
2036 2018-06-29  Saam Barati  <sbarati@apple.com>
2037
2038         We shouldn't recurse into the parser when gathering metadata about various function offsets
2039         https://bugs.webkit.org/show_bug.cgi?id=184074
2040         <rdar://problem/37165897>
2041
2042         Reviewed by Mark Lam.
2043
2044         Prior to this patch, when we made a builtin, we had to make an UnlinkedFunctionExecutable
2045         for that builtin. This required calling into the parser. However, the parser
2046         may throw a stack overflow. We were not able to recover from that. The only
2047         reason we called into the parser here is that we were gathering text offsets
2048         and various metadata for things in the builtin function. This patch writes a
2049         mini parser that figures this information out without calling into the full
2050         parser. (I've also added a debug assert that verifies the mini parser stays in
2051         sync with the full parser.) The result of this is that BuiltinExecutbles::createExecutable
2052         always succeeds.
2053
2054         * builtins/AsyncFromSyncIteratorPrototype.js:
2055         (globalPrivate.createAsyncFromSyncIterator):
2056         (globalPrivate.AsyncFromSyncIteratorConstructor):
2057         * builtins/BuiltinExecutables.cpp:
2058         (JSC::BuiltinExecutables::createExecutable):
2059         * builtins/GlobalOperations.js:
2060         (globalPrivate.getter.overriddenName.string_appeared_here.speciesGetter):
2061         (globalPrivate.speciesConstructor):
2062         (globalPrivate.copyDataProperties):
2063         (globalPrivate.copyDataPropertiesNoExclusions):
2064         * builtins/PromiseOperations.js:
2065         (globalPrivate.newHandledRejectedPromise):
2066         * builtins/RegExpPrototype.js:
2067         (globalPrivate.hasObservableSideEffectsForRegExpMatch):
2068         (globalPrivate.hasObservableSideEffectsForRegExpSplit):
2069         * builtins/StringPrototype.js:
2070         (globalPrivate.hasObservableSideEffectsForStringReplace):
2071         (globalPrivate.getDefaultCollator):
2072         * parser/Nodes.cpp:
2073         (JSC::FunctionMetadataNode::FunctionMetadataNode):
2074         (JSC::FunctionMetadataNode::operator== const):
2075         (JSC::FunctionMetadataNode::dump const):
2076         * parser/Nodes.h:
2077         * parser/Parser.h:
2078         (JSC::parse):
2079         * parser/ParserError.h:
2080         (JSC::ParserError::type const):
2081         * parser/ParserTokens.h:
2082         (JSC::JSTextPosition::operator== const):
2083         (JSC::JSTextPosition::operator!= const):
2084         * parser/SourceCode.h:
2085         (JSC::SourceCode::operator== const):
2086         (JSC::SourceCode::operator!= const):
2087         (JSC::SourceCode::subExpression const):
2088         (JSC::SourceCode::subExpression): Deleted.
2089
2090 2018-06-28  Michael Saboff  <msaboff@apple.com>
2091   
2092         IsoCellSet::sweepToFreeList() not safe when Full GC in process
2093         https://bugs.webkit.org/show_bug.cgi?id=187157
2094
2095         Reviewed by Mark Lam.
2096
2097         * heap/IsoCellSet.cpp:
2098         (JSC::IsoCellSet::sweepToFreeList): Changed the "stale marks logic" to match what
2099         is in MarkedBlock::Handle::specializedSweep where it takes into account whether
2100         or not we are in the process of marking during a full GC.
2101         * heap/MarkedBlock.h:
2102         * heap/MarkedBlockInlines.h:
2103         (JSC::MarkedBlock::Handle::areMarksStaleForSweep): New helper.
2104
2105 2018-06-27  Saam Barati  <sbarati@apple.com>
2106
2107         Add some more register state information when we crash in repatchPutById
2108         https://bugs.webkit.org/show_bug.cgi?id=187112
2109
2110         Reviewed by Mark Lam.
2111
2112         This will help us gather info when we end up seeing a ObjectPropertyConditionSet
2113         with an offset that is different than what the put tells us.
2114
2115         * jit/Repatch.cpp:
2116         (JSC::tryCachePutByID):
2117
2118 2018-06-27  Mark Lam  <mark.lam@apple.com>
2119
2120         Fix a bug in $vm.callFrame() and apply previously requested renaming of $vm.println to print.
2121         https://bugs.webkit.org/show_bug.cgi?id=187119
2122
2123         Reviewed by Keith Miller.
2124
2125         $vm.callFrame()'s JSDollarVMCallFrame::finishCreation()
2126         should be checking for codeBlock instead of !codeBlock
2127         before using the codeBlock.
2128
2129         I also renamed some other "print" functions to use "dump" instead
2130         to match their underlying C++ code that they will call e.g.
2131         CodeBlock::dumpSource().
2132
2133         * tools/JSDollarVM.cpp:
2134         (WTF::JSDollarVMCallFrame::finishCreation):
2135         (JSC::functionDumpSourceFor):
2136         (JSC::functionDumpBytecodeFor):
2137         (JSC::doPrint):
2138         (JSC::functionDataLog):
2139         (JSC::functionPrint):
2140         (JSC::functionDumpCallFrame):
2141         (JSC::functionDumpStack):
2142         (JSC::JSDollarVM::finishCreation):
2143         (JSC::functionPrintSourceFor): Deleted.
2144         (JSC::functionPrintBytecodeFor): Deleted.
2145         (JSC::doPrintln): Deleted.
2146         (JSC::functionPrintln): Deleted.
2147         (JSC::functionPrintCallFrame): Deleted.
2148         (JSC::functionPrintStack): Deleted.
2149         * tools/VMInspector.cpp:
2150         (JSC::DumpFrameFunctor::DumpFrameFunctor):
2151         (JSC::DumpFrameFunctor::operator() const):
2152         (JSC::VMInspector::dumpCallFrame):
2153         (JSC::VMInspector::dumpStack):
2154         (JSC::VMInspector::dumpValue):
2155         (JSC::PrintFrameFunctor::PrintFrameFunctor): Deleted.
2156         (JSC::PrintFrameFunctor::operator() const): Deleted.
2157         (JSC::VMInspector::printCallFrame): Deleted.
2158         (JSC::VMInspector::printStack): Deleted.
2159         (JSC::VMInspector::printValue): Deleted.
2160         * tools/VMInspector.h:
2161
2162 2018-06-27  Keith Miller  <keith_miller@apple.com>
2163
2164         Add logging to try to diagnose where we get a null structure.
2165         https://bugs.webkit.org/show_bug.cgi?id=187106
2166
2167         Reviewed by Mark Lam.
2168
2169         Add a logging to JSObject::toPrimitive to help diagnose a nullptr
2170         structure crash.
2171
2172         This code should be removed when we fix <rdar://problem/33451840>
2173
2174         * runtime/JSObject.cpp:
2175         (JSC::callToPrimitiveFunction):
2176         * runtime/JSObject.h:
2177         (JSC::JSObject::getPropertySlot):
2178
2179 2018-06-27  Mark Lam  <mark.lam@apple.com>
2180
2181         DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
2182         https://bugs.webkit.org/show_bug.cgi?id=187091
2183         <rdar://problem/41395624>
2184
2185         Reviewed by Yusuke Suzuki.
2186
2187         Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
2188         take their slow paths, the slow path would jump back to the fast path right after
2189         the emitted code which clears the unused property values.  As a result, the
2190         unused properties are not initialized.  We've fixed this by adding the slow path
2191         generators before we emit the code to clear the unused properties.
2192
2193         * dfg/DFGSpeculativeJIT.cpp:
2194         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
2195         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
2196
2197 2018-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2198
2199         [JSC] ArrayPatternNode::emitDirectBinding does not return assignment target value if dst is nullptr
2200         https://bugs.webkit.org/show_bug.cgi?id=185943
2201
2202         Reviewed by Mark Lam.
2203
2204         ArrayPatternNode::emitDirectBinding should return a register with an assignment target instead of filling
2205         the result with undefined if `dst` is nullptr. While `dst == ignoredResult()` means we do not require
2206         the result, `dst == nullptr` just means "dst is required, but a register for dst is not allocated.".
2207         This patch fixes emitDirectBinding to return an appropriate value with an allocated register for dst.
2208
2209         ArrayPatternNode::emitDirectBinding() should be removed later since it does not follow array spreading protocol,
2210         but it should be done in a separate patch since it would be performance sensitive.
2211
2212         * bytecompiler/NodesCodegen.cpp:
2213         (JSC::ArrayPatternNode::emitDirectBinding):
2214
2215 2018-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2216
2217         [JSC] Pass VM& to functions more
2218         https://bugs.webkit.org/show_bug.cgi?id=186241
2219
2220         Reviewed by Mark Lam.
2221
2222         This patch threads VM& to functions requiring VM& more.
2223
2224         * API/JSObjectRef.cpp:
2225         (JSObjectIsConstructor):
2226         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2227         (JSC::AdaptiveInferredPropertyValueWatchpointBase::install):
2228         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2229         (JSC::AdaptiveInferredPropertyValueWatchpointBase::StructureWatchpoint::fireInternal):
2230         (JSC::AdaptiveInferredPropertyValueWatchpointBase::PropertyWatchpoint::fireInternal):
2231         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2232         * bytecode/CodeBlockJettisoningWatchpoint.cpp:
2233         (JSC::CodeBlockJettisoningWatchpoint::fireInternal):
2234         * bytecode/CodeBlockJettisoningWatchpoint.h:
2235         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2236         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::install):
2237         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2238         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.h:
2239         * bytecode/StructureStubClearingWatchpoint.cpp:
2240         (JSC::StructureStubClearingWatchpoint::fireInternal):
2241         * bytecode/StructureStubClearingWatchpoint.h:
2242         * bytecode/Watchpoint.cpp:
2243         (JSC::Watchpoint::fire):
2244         (JSC::WatchpointSet::fireAllWatchpoints):
2245         * bytecode/Watchpoint.h:
2246         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp:
2247         (JSC::DFG::AdaptiveInferredPropertyValueWatchpoint::handleFire):
2248         * dfg/DFGAdaptiveInferredPropertyValueWatchpoint.h:
2249         * dfg/DFGAdaptiveStructureWatchpoint.cpp:
2250         (JSC::DFG::AdaptiveStructureWatchpoint::install):
2251         (JSC::DFG::AdaptiveStructureWatchpoint::fireInternal):
2252         * dfg/DFGAdaptiveStructureWatchpoint.h:
2253         * dfg/DFGDesiredWatchpoints.cpp:
2254         (JSC::DFG::AdaptiveStructureWatchpointAdaptor::add):
2255         * llint/LLIntSlowPaths.cpp:
2256         (JSC::LLInt::setupGetByIdPrototypeCache):
2257         * runtime/ArrayPrototype.cpp:
2258         (JSC::ArrayPrototype::tryInitializeSpeciesWatchpoint):
2259         (JSC::ArrayPrototypeAdaptiveInferredPropertyWatchpoint::handleFire):
2260         * runtime/ECMAScriptSpecInternalFunctions.cpp:
2261         (JSC::esSpecIsConstructor):
2262         * runtime/FunctionRareData.cpp:
2263         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2264         * runtime/FunctionRareData.h:
2265         * runtime/InferredStructureWatchpoint.cpp:
2266         (JSC::InferredStructureWatchpoint::fireInternal):
2267         * runtime/InferredStructureWatchpoint.h:
2268         * runtime/InternalFunction.cpp:
2269         (JSC::InternalFunction::createSubclassStructureSlow):
2270         * runtime/InternalFunction.h:
2271         (JSC::InternalFunction::createSubclassStructure):
2272         * runtime/JSCJSValue.h:
2273         * runtime/JSCJSValueInlines.h:
2274         (JSC::JSValue::isConstructor const):
2275         * runtime/JSCell.h:
2276         * runtime/JSCellInlines.h:
2277         (JSC::JSCell::isConstructor):
2278         (JSC::JSCell::methodTable const):
2279         * runtime/JSGlobalObject.cpp:
2280         (JSC::JSGlobalObject::init):
2281         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h:
2282         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
2283         * runtime/ProxyObject.cpp:
2284         (JSC::ProxyObject::finishCreation):
2285         * runtime/ReflectObject.cpp:
2286         (JSC::reflectObjectConstruct):
2287         * runtime/StructureRareData.cpp:
2288         (JSC::StructureRareData::setObjectToStringValue):
2289         (JSC::ObjectToStringAdaptiveStructureWatchpoint::install):
2290         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2291         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2292
2293 2018-06-26  Mark Lam  <mark.lam@apple.com>
2294
2295         eval() is wrong about the LiteralParser never throwing any exceptions.
2296         https://bugs.webkit.org/show_bug.cgi?id=187074
2297         <rdar://problem/41461099>
2298
2299         Reviewed by Saam Barati.
2300
2301         Added the missing exception check, and removed an erroneous assertion.
2302
2303         * interpreter/Interpreter.cpp:
2304         (JSC::eval):
2305
2306 2018-06-26  Saam Barati  <sbarati@apple.com>
2307
2308         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
2309         https://bugs.webkit.org/show_bug.cgi?id=186878
2310         <rdar://problem/40568659>
2311
2312         Reviewed by Filip Pizlo.
2313
2314         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
2315         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
2316         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells can't
2317         be allocated from HeapCell::Kind::Auxiliary. This patch adds a new HeapCell::Kind
2318         called JSCellWithInteriorPointers. It behaves like JSCell in all ways, except
2319         conservative scan knows to treat it like a butterfly in when we we may be
2320         pointing into the middle of it.
2321         
2322         The way we were crashing on the stress GC bots is that our conservative marking
2323         won't do cell visiting for things that are Auxiliary. This meant that if the
2324         stack were the only thing pointing to a JSImmutableButterfly when a GC took place,
2325         that JSImmutableButterfly would not be visited. This is now fixed.
2326
2327         * bytecompiler/NodesCodegen.cpp:
2328         (JSC::ArrayNode::emitBytecode):
2329         * debugger/Debugger.cpp:
2330         * heap/ConservativeRoots.cpp:
2331         (JSC::ConservativeRoots::genericAddPointer):
2332         * heap/Heap.cpp:
2333         (JSC::GatherHeapSnapshotData::operator() const):
2334         (JSC::RemoveDeadHeapSnapshotNodes::operator() const):
2335         (JSC::Heap::globalObjectCount):
2336         (JSC::Heap::objectTypeCounts):
2337         (JSC::Heap::deleteAllCodeBlocks):
2338         * heap/HeapCell.cpp:
2339         (WTF::printInternal):
2340         * heap/HeapCell.h:
2341         (JSC::isJSCellKind):
2342         (JSC::hasInteriorPointers):
2343         * heap/HeapUtil.h:
2344         (JSC::HeapUtil::findGCObjectPointersForMarking):
2345         (JSC::HeapUtil::isPointerGCObjectJSCell):
2346         * heap/MarkedBlock.cpp:
2347         (JSC::MarkedBlock::Handle::didAddToDirectory):
2348         * heap/SlotVisitor.cpp:
2349         (JSC::SlotVisitor::appendJSCellOrAuxiliary):
2350         * runtime/JSGlobalObject.cpp:
2351         * runtime/JSImmutableButterfly.h:
2352         (JSC::JSImmutableButterfly::subspaceFor):
2353         * runtime/VM.cpp:
2354         (JSC::VM::VM):
2355         * runtime/VM.h:
2356         * tools/CellProfile.h:
2357         (JSC::CellProfile::CellProfile):
2358         (JSC::CellProfile::isJSCell const):
2359         * tools/HeapVerifier.cpp:
2360         (JSC::HeapVerifier::validateCell):
2361
2362 2018-06-26  Mark Lam  <mark.lam@apple.com>
2363
2364         Skip some unnecessary work in Interpreter::getStackTrace().
2365         https://bugs.webkit.org/show_bug.cgi?id=187070
2366
2367         Reviewed by Michael Saboff.
2368
2369         * interpreter/Interpreter.cpp:
2370         (JSC::Interpreter::getStackTrace):
2371
2372 2018-06-26  Mark Lam  <mark.lam@apple.com>
2373
2374         ASSERTION FAILED: length > butterfly->vectorLength() in JSObject::ensureLengthSlow().
2375         https://bugs.webkit.org/show_bug.cgi?id=187060
2376         <rdar://problem/41452767>
2377
2378         Reviewed by Keith Miller.
2379
2380         JSObject::ensureLengthSlow() may be called only because it needs to do a copy on
2381         write conversion.  Hence, we can return early after the conversion if the vector
2382         length is already sufficient to cover the requested length.
2383
2384         * runtime/JSObject.cpp:
2385         (JSC::JSObject::ensureLengthSlow):
2386
2387 2018-06-26  Commit Queue  <commit-queue@webkit.org>
2388
2389         Unreviewed, rolling out r233184.
2390         https://bugs.webkit.org/show_bug.cgi?id=187059
2391
2392         "It regressed JetStream between 5-8%" (Requested by saamyjoon
2393         on #webkit).
2394
2395         Reverted changeset:
2396
2397         "JSImmutableButterfly can't be allocated from a subspace with
2398         HeapCell::Kind::Auxiliary"
2399         https://bugs.webkit.org/show_bug.cgi?id=186878
2400         https://trac.webkit.org/changeset/233184
2401
2402 2018-06-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2403
2404         REGRESSION(r233065): Build broken with clang-3.8 and libstdc++-5
2405         https://bugs.webkit.org/show_bug.cgi?id=187051
2406
2407         Reviewed by Mark Lam.
2408
2409         Revert r233065 changes over UnlinkedCodeBlock.h to allow
2410         clang-3.8 to be able to compile this back (with libstdc++5)
2411
2412         * bytecode/UnlinkedCodeBlock.h:
2413         (JSC::UnlinkedCodeBlock::decompressArrayAllocationProfile):
2414
2415 2018-06-26  Tadeu Zagallo  <tzagallo@apple.com>
2416
2417         Fix testapi build when DFG_JIT is disabled
2418         https://bugs.webkit.org/show_bug.cgi?id=187038
2419
2420         Reviewed by Mark Lam.
2421
2422         r233158 added a new API and tests for configuring the number of JIT threads, but
2423         the API is only available when DFG_JIT is enabled and so should the tests.
2424
2425         * API/tests/testapi.mm:
2426         (runJITThreadLimitTests):
2427
2428 2018-06-25  Saam Barati  <sbarati@apple.com>
2429
2430         JSImmutableButterfly can't be allocated from a subspace with HeapCell::Kind::Auxiliary
2431         https://bugs.webkit.org/show_bug.cgi?id=186878
2432         <rdar://problem/40568659>
2433
2434         Reviewed by Mark Lam.
2435
2436         This patch fixes a bug in our JSImmutableButterfly implementation uncovered by
2437         our stress GC bots. Before this patch, JSImmutableButterfly was allocated
2438         with HeapCell::Kind::Auxiliary. This is wrong. Things that are JSCells must be
2439         allocated from HeapCell::Kind::JSCell. The way this broke on the stress GC
2440         bots is that our conservative marking won't do cell marking for things that
2441         are Auxiliary. This means that if the stack is the only thing pointing to a
2442         JSImmutableButterfly when a GC took place, that JSImmutableButterfly would
2443         not be visited. This patch fixes this bug. This patch also extends our conservative
2444         marking to understand that there may be interior pointers to things that are HeapCell::Kind::JSCell.
2445
2446         * bytecompiler/NodesCodegen.cpp:
2447         (JSC::ArrayNode::emitBytecode):
2448         * heap/HeapUtil.h:
2449         (JSC::HeapUtil::findGCObjectPointersForMarking):
2450         * runtime/JSImmutableButterfly.h:
2451         (JSC::JSImmutableButterfly::subspaceFor):
2452
2453 2018-06-25  Mark Lam  <mark.lam@apple.com>
2454
2455         constructArray() should set m_numValuesInVector to the specified length.
2456         https://bugs.webkit.org/show_bug.cgi?id=187010
2457         <rdar://problem/41392167>
2458
2459         Reviewed by Filip Pizlo.
2460
2461         Its client will fill in the storage vector with some values using initializeIndex()
2462         and expects m_numValuesInVector to be set to the length i.e. the number of values
2463         to be initialized.
2464
2465         * runtime/JSArray.cpp:
2466         (JSC::constructArray):
2467
2468 2018-06-25  Mark Lam  <mark.lam@apple.com>
2469
2470         Add missing exception check in RegExpObjectInlines.h's collectMatches.
2471         https://bugs.webkit.org/show_bug.cgi?id=187006
2472         <rdar://problem/41418412>
2473
2474         Reviewed by Keith Miller.
2475
2476         * runtime/RegExpObjectInlines.h:
2477         (JSC::collectMatches):
2478
2479 2018-06-25  Tadeu Zagallo  <tzagallo@apple.com>
2480
2481         Add API for configuring the number of threads used by DFG and FTL
2482         https://bugs.webkit.org/show_bug.cgi?id=186859
2483         <rdar://problem/41093519>
2484
2485         Reviewed by Filip Pizlo.
2486
2487         Add new private APIs for limiting the number of threads to be used by
2488         the DFG and FTL compilers. It was already possible to configure the
2489         limit through JSC Options, but now it can be changed at runtime, even
2490         in the case when the VM is already running.
2491
2492         Add a test for both cases: when trying to configure the limit before
2493         and after the Worklist has been created, but in order to simulate the
2494         first scenario, we must guarantee that the test runs at the very
2495         beginning, so I also added a check for that.
2496
2497         * API/JSVirtualMachine.mm:
2498         (+[JSVirtualMachine setNumberOfDFGCompilerThreads:]):
2499         (+[JSVirtualMachine setNumberOfFTLCompilerThreads:]):
2500         * API/JSVirtualMachinePrivate.h:
2501         * API/tests/testapi.mm:
2502         (runJITThreadLimitTests):
2503         (testObjectiveCAPIMain):
2504         * dfg/DFGWorklist.cpp:
2505         (JSC::DFG::Worklist::finishCreation):
2506         (JSC::DFG::Worklist::createNewThread):
2507         (JSC::DFG::Worklist::setNumberOfThreads):
2508         * dfg/DFGWorklist.h:
2509
2510 2018-06-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2511
2512         [JSC] Remove unnecessary PLATFORM guards
2513         https://bugs.webkit.org/show_bug.cgi?id=186995
2514
2515         Reviewed by Mark Lam.
2516
2517         * assembler/AssemblerCommon.h:
2518         (JSC::isIOS):
2519         Add constexpr.
2520
2521         * inspector/JSGlobalObjectInspectorController.cpp:
2522         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2523         StackFrame works in all the platforms. If StackFrame::demangle failed,
2524         it just returns std::nullopt. And it is correctly handled in this code.
2525
2526 2018-06-23  Mark Lam  <mark.lam@apple.com>
2527
2528         Add more debugging features to $vm.
2529         https://bugs.webkit.org/show_bug.cgi?id=186947
2530
2531         Reviewed by Keith Miller.
2532
2533         Adding the following features:
2534
2535             // We now have println in addition to print.
2536             // println automatically adds a '\n' at the end.
2537             $vm.println("Hello");
2538
2539             // We can now capture some info about a stack frame.
2540             var currentFrame = $vm.callFrame(); // Same as $vm.callFrame(0);
2541             var callerCallerFrame = $vm.callFrame(2);
2542
2543             // We can inspect the following values associated with the frame:
2544             if (currentFrame.valid) {
2545                 $vm.println("name is ", currentFrame.name));
2546
2547                 // Note: For a WASM frame, all of these will be undefined.
2548                 $vm.println("callee is ", $vm.value(currentFrame.callee));
2549                 $vm.println("codeBlock is ", currentFrame.codeBlock);
2550                 $vm.println("unlinkedCodeBlock is ", currentFrame.unlinkedCodeBlock);
2551                 $vm.println("executable is ", currentFrame.executable);
2552             }
2553
2554             // Note that callee is a JSObject.  I printed its $vm.value() because I wanted
2555             // to dataLog its JSValue instead of its toString() result.
2556
2557             // Note that $vm.println() (and $vm.print()) can now print internal JSCells
2558             // (and Symbols) as JSValue dumps. It won't just fail on trying to do a
2559             // toString on a non-object.
2560
2561             // Does what it says about enabling/disabling debugger mode.
2562             $vm.enableDebuggerModeWhenIdle();
2563             $vm.disableDebuggerModeWhenIdle();
2564
2565         * tools/JSDollarVM.cpp:
2566         (WTF::JSDollarVMCallFrame::JSDollarVMCallFrame):
2567         (WTF::JSDollarVMCallFrame::createStructure):
2568         (WTF::JSDollarVMCallFrame::create):
2569         (WTF::JSDollarVMCallFrame::finishCreation):
2570         (WTF::JSDollarVMCallFrame::addProperty):
2571         (JSC::functionCallFrame):
2572         (JSC::functionCodeBlockForFrame):
2573         (JSC::codeBlockFromArg):
2574         (JSC::doPrintln):
2575         (JSC::functionPrint):
2576         (JSC::functionPrintln):
2577         (JSC::changeDebuggerModeWhenIdle):
2578         (JSC::functionEnableDebuggerModeWhenIdle):
2579         (JSC::functionDisableDebuggerModeWhenIdle):
2580         (JSC::JSDollarVM::finishCreation):
2581
2582 2018-06-22  Keith Miller  <keith_miller@apple.com>
2583
2584         We need to have a getDirectConcurrently for use in the compilers
2585         https://bugs.webkit.org/show_bug.cgi?id=186954
2586
2587         Reviewed by Mark Lam.
2588
2589         It used to be that the propertyStorage of an object never shrunk
2590         so if you called getDirect with some offset it would never be an
2591         OOB read. However, this property storage can shrink when calling
2592         flattenDictionaryStructure. Fortunately, flattenDictionaryStructure
2593         holds the Structure's ConcurrentJSLock while shrinking. This patch,
2594         adds a getDirectConcurrently that will safely try to load from the
2595         butterfly.
2596
2597         * bytecode/ObjectPropertyConditionSet.cpp:
2598         * bytecode/PropertyCondition.cpp:
2599         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint const):
2600         (JSC::PropertyCondition::attemptToMakeEquivalenceWithoutBarrier const):
2601         * dfg/DFGGraph.cpp:
2602         (JSC::DFG::Graph::tryGetConstantProperty):
2603         * runtime/JSObject.h:
2604         (JSC::JSObject::getDirectConcurrently const):
2605
2606 2018-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2607
2608         [WTF] Use Ref<> for the result type of non-failing factory functions
2609         https://bugs.webkit.org/show_bug.cgi?id=186920
2610
2611         Reviewed by Darin Adler.
2612
2613         * dfg/DFGWorklist.cpp:
2614         (JSC::DFG::Worklist::ThreadBody::ThreadBody):
2615         (JSC::DFG::Worklist::finishCreation):
2616         * dfg/DFGWorklist.h:
2617         * heap/Heap.cpp:
2618         (JSC::Heap::Thread::Thread):
2619         * heap/Heap.h:
2620         * jit/JITWorklist.cpp:
2621         (JSC::JITWorklist::Thread::Thread):
2622         * jit/JITWorklist.h:
2623         * runtime/VMTraps.cpp:
2624         * runtime/VMTraps.h:
2625         * wasm/WasmWorklist.cpp:
2626         * wasm/WasmWorklist.h:
2627
2628 2018-06-23  Yusuke Suzuki  <utatane.tea@gmail.com>
2629
2630         [WTF] Add user-defined literal for ASCIILiteral
2631         https://bugs.webkit.org/show_bug.cgi?id=186839
2632
2633         Reviewed by Darin Adler.
2634
2635         * API/JSCallbackObjectFunctions.h:
2636         (JSC::JSCallbackObject<Parent>::staticFunctionGetter):
2637         (JSC::JSCallbackObject<Parent>::callbackGetter):
2638         * API/JSObjectRef.cpp:
2639         (JSObjectMakeFunctionWithCallback):
2640         * API/JSTypedArray.cpp:
2641         (JSObjectGetArrayBufferBytesPtr):
2642         * API/JSValue.mm:
2643         (valueToArray):
2644         (valueToDictionary):
2645         * API/ObjCCallbackFunction.mm:
2646         (JSC::objCCallbackFunctionCallAsFunction):
2647         (JSC::objCCallbackFunctionCallAsConstructor):
2648         (JSC::ObjCCallbackFunctionImpl::call):
2649         * API/glib/JSCCallbackFunction.cpp:
2650         (JSC::JSCCallbackFunction::call):
2651         (JSC::JSCCallbackFunction::construct):
2652         * API/glib/JSCContext.cpp:
2653         (jscContextJSValueToGValue):
2654         * API/glib/JSCValue.cpp:
2655         (jsc_value_object_define_property_accessor):
2656         (jscValueFunctionCreate):
2657         * builtins/BuiltinUtils.h:
2658         * bytecode/CodeBlock.cpp:
2659         (JSC::CodeBlock::nameForRegister):
2660         * bytecompiler/BytecodeGenerator.cpp:
2661         (JSC::BytecodeGenerator::emitEnumeration):
2662         (JSC::BytecodeGenerator::emitIteratorNext):
2663         (JSC::BytecodeGenerator::emitIteratorClose):
2664         (JSC::BytecodeGenerator::emitDelegateYield):
2665         * bytecompiler/NodesCodegen.cpp:
2666         (JSC::FunctionCallValueNode::emitBytecode):
2667         (JSC::PostfixNode::emitBytecode):
2668         (JSC::PrefixNode::emitBytecode):
2669         (JSC::AssignErrorNode::emitBytecode):
2670         (JSC::ForInNode::emitBytecode):
2671         (JSC::ForOfNode::emitBytecode):
2672         (JSC::ClassExprNode::emitBytecode):
2673         (JSC::ObjectPatternNode::bindValue const):
2674         * dfg/DFGDriver.cpp:
2675         (JSC::DFG::compileImpl):
2676         * dfg/DFGOperations.cpp:
2677         (JSC::DFG::newTypedArrayWithSize):
2678         * dfg/DFGStrengthReductionPhase.cpp:
2679         (JSC::DFG::StrengthReductionPhase::handleNode):
2680         * inspector/ConsoleMessage.cpp:
2681         (Inspector::ConsoleMessage::addToFrontend):
2682         (Inspector::ConsoleMessage::clear):
2683         * inspector/ContentSearchUtilities.cpp:
2684         (Inspector::ContentSearchUtilities::findStylesheetSourceMapURL):
2685         * inspector/InjectedScript.cpp:
2686         (Inspector::InjectedScript::InjectedScript):
2687         (Inspector::InjectedScript::evaluate):
2688         (Inspector::InjectedScript::callFunctionOn):
2689         (Inspector::InjectedScript::evaluateOnCallFrame):
2690         (Inspector::InjectedScript::getFunctionDetails):
2691         (Inspector::InjectedScript::functionDetails):
2692         (Inspector::InjectedScript::getPreview):
2693         (Inspector::InjectedScript::getProperties):
2694         (Inspector::InjectedScript::getDisplayableProperties):
2695         (Inspector::InjectedScript::getInternalProperties):
2696         (Inspector::InjectedScript::getCollectionEntries):
2697         (Inspector::InjectedScript::saveResult):
2698         (Inspector::InjectedScript::wrapCallFrames const):
2699         (Inspector::InjectedScript::wrapObject const):
2700         (Inspector::InjectedScript::wrapJSONString const):
2701         (Inspector::InjectedScript::wrapTable const):
2702         (Inspector::InjectedScript::previewValue const):
2703         (Inspector::InjectedScript::setExceptionValue):
2704         (Inspector::InjectedScript::clearExceptionValue):
2705         (Inspector::InjectedScript::findObjectById const):
2706         (Inspector::InjectedScript::inspectObject):
2707         (Inspector::InjectedScript::releaseObject):
2708         (Inspector::InjectedScript::releaseObjectGroup):
2709         * inspector/InjectedScriptBase.cpp:
2710         (Inspector::InjectedScriptBase::makeEvalCall):
2711         * inspector/InjectedScriptManager.cpp:
2712         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2713         * inspector/InjectedScriptModule.cpp:
2714         (Inspector::InjectedScriptModule::ensureInjected):
2715         * inspector/InspectorBackendDispatcher.cpp:
2716         (Inspector::BackendDispatcher::dispatch):
2717         (Inspector::BackendDispatcher::sendResponse):
2718         (Inspector::BackendDispatcher::sendPendingErrors):
2719         * inspector/JSGlobalObjectConsoleClient.cpp:
2720         (Inspector::JSGlobalObjectConsoleClient::profile):
2721         (Inspector::JSGlobalObjectConsoleClient::profileEnd):
2722         (Inspector::JSGlobalObjectConsoleClient::timeStamp):
2723         * inspector/JSGlobalObjectInspectorController.cpp:
2724         (Inspector::JSGlobalObjectInspectorController::appendAPIBacktrace):
2725         * inspector/JSInjectedScriptHost.cpp:
2726         (Inspector::JSInjectedScriptHost::evaluateWithScopeExtension):
2727         (Inspector::JSInjectedScriptHost::subtype):
2728         (Inspector::JSInjectedScriptHost::getInternalProperties):
2729         * inspector/JSJavaScriptCallFrame.cpp:
2730         (Inspector::JSJavaScriptCallFrame::evaluateWithScopeExtension):
2731         (Inspector::JSJavaScriptCallFrame::type const):
2732         * inspector/ScriptArguments.cpp:
2733         (Inspector::ScriptArguments::getFirstArgumentAsString):
2734         * inspector/ScriptCallStackFactory.cpp:
2735         (Inspector::extractSourceInformationFromException):
2736         * inspector/agents/InspectorAgent.cpp:
2737         (Inspector::InspectorAgent::InspectorAgent):
2738         * inspector/agents/InspectorConsoleAgent.cpp:
2739         (Inspector::InspectorConsoleAgent::InspectorConsoleAgent):
2740         (Inspector::InspectorConsoleAgent::clearMessages):
2741         (Inspector::InspectorConsoleAgent::count):
2742         (Inspector::InspectorConsoleAgent::setLoggingChannelLevel):
2743         * inspector/agents/InspectorDebuggerAgent.cpp:
2744         (Inspector::InspectorDebuggerAgent::InspectorDebuggerAgent):
2745         (Inspector::InspectorDebuggerAgent::setAsyncStackTraceDepth):
2746         (Inspector::buildObjectForBreakpointCookie):
2747         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
2748         (Inspector::parseLocation):
2749         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2750         (Inspector::InspectorDebuggerAgent::setBreakpoint):
2751         (Inspector::InspectorDebuggerAgent::continueToLocation):
2752         (Inspector::InspectorDebuggerAgent::searchInContent):
2753         (Inspector::InspectorDebuggerAgent::getScriptSource):
2754         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
2755         (Inspector::InspectorDebuggerAgent::resume):
2756         (Inspector::InspectorDebuggerAgent::setPauseOnExceptions):
2757         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
2758         (Inspector::InspectorDebuggerAgent::didParseSource):
2759         (Inspector::InspectorDebuggerAgent::assertPaused):
2760         * inspector/agents/InspectorHeapAgent.cpp:
2761         (Inspector::InspectorHeapAgent::InspectorHeapAgent):
2762         (Inspector::InspectorHeapAgent::nodeForHeapObjectIdentifier):
2763         (Inspector::InspectorHeapAgent::getPreview):
2764         (Inspector::InspectorHeapAgent::getRemoteObject):
2765         * inspector/agents/InspectorRuntimeAgent.cpp:
2766         (Inspector::InspectorRuntimeAgent::InspectorRuntimeAgent):
2767         (Inspector::InspectorRuntimeAgent::callFunctionOn):
2768         (Inspector::InspectorRuntimeAgent::getPreview):
2769         (Inspector::InspectorRuntimeAgent::getProperties):
2770         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2771         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2772         (Inspector::InspectorRuntimeAgent::saveResult):
2773         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2774         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2775         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2776         (Inspector::InspectorScriptProfilerAgent::InspectorScriptProfilerAgent):
2777         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2778         (Inspector::JSGlobalObjectDebuggerAgent::injectedScriptForEval):
2779         * inspector/agents/JSGlobalObjectRuntimeAgent.cpp:
2780         (Inspector::JSGlobalObjectRuntimeAgent::injectedScriptForEval):
2781         * inspector/scripts/codegen/cpp_generator_templates.py:
2782         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
2783         (CppBackendDispatcherImplementationGenerator._generate_async_dispatcher_class_for_domain):
2784         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
2785         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2786         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
2787         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2788         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2789         (CppProtocolTypesImplementationGenerator):
2790         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
2791         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
2792         (ObjCBackendDispatcherImplementationGenerator._generate_conversions_for_command):
2793         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
2794         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
2795         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
2796         * inspector/scripts/codegen/generate_objc_protocol_type_conversions_header.py:
2797         (ObjCProtocolTypeConversionsHeaderGenerator._generate_enum_objc_to_protocol_string):
2798         * inspector/scripts/codegen/objc_generator_templates.py:
2799         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2800         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2801         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2802         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2803         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2804         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2805         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2806         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2807         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2808         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2809         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2810         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2811         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2812         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2813         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2814         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2815         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2816         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2817         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2818         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2819         * interpreter/CallFrame.cpp:
2820         (JSC::CallFrame::friendlyFunctionName):
2821         * interpreter/Interpreter.cpp:
2822         (JSC::Interpreter::execute):
2823         * interpreter/StackVisitor.cpp:
2824         (JSC::StackVisitor::Frame::functionName const):
2825         (JSC::StackVisitor::Frame::sourceURL const):
2826         * jit/JIT.cpp:
2827         (JSC::JIT::doMainThreadPreparationBeforeCompile):
2828         * jit/JITOperations.cpp:
2829         * jsc.cpp:
2830         (resolvePath):
2831         (GlobalObject::moduleLoaderImportModule):
2832         (GlobalObject::moduleLoaderResolve):
2833         (functionDescribeArray):
2834         (functionRun):
2835         (functionLoad):
2836         (functionCheckSyntax):
2837         (functionDollarEvalScript):
2838         (functionDollarAgentStart):
2839         (functionDollarAgentReceiveBroadcast):
2840         (functionDollarAgentBroadcast):
2841         (functionTransferArrayBuffer):
2842         (functionLoadModule):
2843         (functionSamplingProfilerStackTraces):
2844         (functionAsyncTestStart):
2845         (functionWebAssemblyMemoryMode):
2846         (runWithOptions):
2847         * parser/Lexer.cpp:
2848         (JSC::Lexer<T>::invalidCharacterMessage const):
2849         (JSC::Lexer<T>::parseString):
2850         (JSC::Lexer<T>::parseComplexEscape):
2851         (JSC::Lexer<T>::parseStringSlowCase):
2852         (JSC::Lexer<T>::parseTemplateLiteral):
2853         (JSC::Lexer<T>::lex):
2854         * parser/Parser.cpp:
2855         (JSC::Parser<LexerType>::parseInner):
2856         * parser/Parser.h:
2857         (JSC::Parser::setErrorMessage):
2858         * runtime/AbstractModuleRecord.cpp:
2859         (JSC::AbstractModuleRecord::finishCreation):
2860         * runtime/ArrayBuffer.cpp:
2861         (JSC::errorMesasgeForTransfer):
2862         * runtime/ArrayBufferSharingMode.h:
2863         (JSC::arrayBufferSharingModeName):
2864         * runtime/ArrayConstructor.cpp:
2865         (JSC::constructArrayWithSizeQuirk):
2866         (JSC::isArraySlowInline):
2867         * runtime/ArrayPrototype.cpp:
2868         (JSC::setLength):
2869         (JSC::shift):
2870         (JSC::unshift):
2871         (JSC::arrayProtoFuncPop):
2872         (JSC::arrayProtoFuncReverse):
2873         (JSC::arrayProtoFuncUnShift):
2874         * runtime/AtomicsObject.cpp:
2875         (JSC::atomicsFuncWait):
2876         (JSC::atomicsFuncWake):
2877         * runtime/BigIntConstructor.cpp:
2878         (JSC::BigIntConstructor::finishCreation):
2879         (JSC::toBigInt):
2880         (JSC::callBigIntConstructor):
2881         * runtime/BigIntObject.cpp:
2882         (JSC::BigIntObject::toStringName):
2883         * runtime/BigIntPrototype.cpp:
2884         (JSC::bigIntProtoFuncToString):
2885         (JSC::bigIntProtoFuncValueOf):
2886         * runtime/CommonSlowPaths.cpp:
2887         (JSC::SLOW_PATH_DECL):
2888         * runtime/ConsoleClient.cpp:
2889         (JSC::ConsoleClient::printConsoleMessageWithArguments):
2890         * runtime/ConsoleObject.cpp:
2891         (JSC::valueOrDefaultLabelString):
2892         (JSC::consoleProtoFuncTime):
2893         (JSC::consoleProtoFuncTimeEnd):
2894         * runtime/DatePrototype.cpp:
2895         (JSC::formatLocaleDate):
2896         (JSC::formateDateInstance):
2897         (JSC::DatePrototype::finishCreation):
2898         (JSC::dateProtoFuncToISOString):
2899         (JSC::dateProtoFuncToJSON):
2900         * runtime/Error.cpp:
2901         (JSC::createNotEnoughArgumentsError):
2902         (JSC::throwSyntaxError):
2903         (JSC::createTypeError):
2904         (JSC::createOutOfMemoryError):
2905         * runtime/Error.h:
2906         (JSC::throwVMError):
2907         * runtime/ErrorConstructor.cpp:
2908         (JSC::ErrorConstructor::finishCreation):
2909         * runtime/ErrorInstance.cpp:
2910         (JSC::ErrorInstance::sanitizedToString):
2911         * runtime/ErrorPrototype.cpp:
2912         (JSC::ErrorPrototype::finishCreation):
2913         (JSC::errorProtoFuncToString):
2914         * runtime/ExceptionFuzz.cpp:
2915         (JSC::doExceptionFuzzing):
2916         * runtime/ExceptionHelpers.cpp:
2917         (JSC::TerminatedExecutionError::defaultValue):
2918         (JSC::createStackOverflowError):
2919         (JSC::createNotAConstructorError):
2920         (JSC::createNotAFunctionError):
2921         (JSC::createNotAnObjectError):
2922         * runtime/GetterSetter.cpp:
2923         (JSC::callSetter):
2924         * runtime/IntlCollator.cpp:
2925         (JSC::sortLocaleData):
2926         (JSC::searchLocaleData):
2927         (JSC::IntlCollator::initializeCollator):
2928         (JSC::IntlCollator::compareStrings):
2929         (JSC::IntlCollator::usageString):
2930         (JSC::IntlCollator::sensitivityString):
2931         (JSC::IntlCollator::caseFirstString):
2932         (JSC::IntlCollator::resolvedOptions):
2933         * runtime/IntlCollator.h:
2934         * runtime/IntlCollatorConstructor.cpp:
2935         (JSC::IntlCollatorConstructor::finishCreation):
2936         * runtime/IntlCollatorPrototype.cpp:
2937         (JSC::IntlCollatorPrototypeGetterCompare):
2938         (JSC::IntlCollatorPrototypeFuncResolvedOptions):
2939         * runtime/IntlDateTimeFormat.cpp:
2940         (JSC::defaultTimeZone):
2941         (JSC::canonicalizeTimeZoneName):
2942         (JSC::IntlDTFInternal::localeData):
2943         (JSC::IntlDTFInternal::toDateTimeOptionsAnyDate):
2944         (JSC::IntlDateTimeFormat::initializeDateTimeFormat):
2945         (JSC::IntlDateTimeFormat::weekdayString):
2946         (JSC::IntlDateTimeFormat::eraString):
2947         (JSC::IntlDateTimeFormat::yearString):
2948         (JSC::IntlDateTimeFormat::monthString):
2949         (JSC::IntlDateTimeFormat::dayString):
2950         (JSC::IntlDateTimeFormat::hourString):
2951         (JSC::IntlDateTimeFormat::minuteString):
2952         (JSC::IntlDateTimeFormat::secondString):
2953         (JSC::IntlDateTimeFormat::timeZoneNameString):
2954         (JSC::IntlDateTimeFormat::resolvedOptions):
2955         (JSC::IntlDateTimeFormat::format):
2956         (JSC::IntlDateTimeFormat::partTypeString):
2957         (JSC::IntlDateTimeFormat::formatToParts):
2958         * runtime/IntlDateTimeFormat.h:
2959         * runtime/IntlDateTimeFormatConstructor.cpp:
2960         (JSC::IntlDateTimeFormatConstructor::finishCreation):
2961         * runtime/IntlDateTimeFormatPrototype.cpp:
2962         (JSC::IntlDateTimeFormatPrototypeGetterFormat):
2963         (JSC::IntlDateTimeFormatPrototypeFuncFormatToParts):
2964         (JSC::IntlDateTimeFormatPrototypeFuncResolvedOptions):
2965         * runtime/IntlNumberFormat.cpp:
2966         (JSC::IntlNumberFormat::initializeNumberFormat):
2967         (JSC::IntlNumberFormat::formatNumber):
2968         (JSC::IntlNumberFormat::styleString):
2969         (JSC::IntlNumberFormat::currencyDisplayString):
2970         (JSC::IntlNumberFormat::resolvedOptions):
2971         (JSC::IntlNumberFormat::partTypeString):
2972         (JSC::IntlNumberFormat::formatToParts):
2973         * runtime/IntlNumberFormat.h:
2974         * runtime/IntlNumberFormatConstructor.cpp:
2975         (JSC::IntlNumberFormatConstructor::finishCreation):
2976         * runtime/IntlNumberFormatPrototype.cpp:
2977         (JSC::IntlNumberFormatPrototypeGetterFormat):
2978         (JSC::IntlNumberFormatPrototypeFuncFormatToParts):
2979         (JSC::IntlNumberFormatPrototypeFuncResolvedOptions):
2980         * runtime/IntlObject.cpp:
2981         (JSC::grandfatheredLangTag):
2982         (JSC::canonicalizeLocaleList):
2983         (JSC::resolveLocale):
2984         (JSC::supportedLocales):
2985         * runtime/IntlPluralRules.cpp:
2986         (JSC::IntlPluralRules::initializePluralRules):
2987         (JSC::IntlPluralRules::resolvedOptions):
2988         (JSC::IntlPluralRules::select):
2989         * runtime/IntlPluralRulesConstructor.cpp:
2990         (JSC::IntlPluralRulesConstructor::finishCreation):
2991         * runtime/IntlPluralRulesPrototype.cpp:
2992         (JSC::IntlPluralRulesPrototypeFuncSelect):
2993         (JSC::IntlPluralRulesPrototypeFuncResolvedOptions):
2994         * runtime/IteratorOperations.cpp:
2995         (JSC::iteratorNext):
2996         (JSC::iteratorClose):
2997         (JSC::hasIteratorMethod):
2998         (JSC::iteratorMethod):
2999         * runtime/JSArray.cpp:
3000         (JSC::JSArray::tryCreateUninitializedRestricted):
3001         (JSC::JSArray::defineOwnProperty):
3002         (JSC::JSArray::put):
3003         (JSC::JSArray::setLengthWithArrayStorage):
3004         (JSC::JSArray::appendMemcpy):
3005         (JSC::JSArray::pop):
3006         * runtime/JSArray.h:
3007         * runtime/JSArrayBufferConstructor.cpp:
3008         (JSC::JSArrayBufferConstructor::finishCreation):
3009         * runtime/JSArrayBufferPrototype.cpp:
3010         (JSC::arrayBufferProtoFuncSlice):
3011         (JSC::arrayBufferProtoGetterFuncByteLength):
3012         (JSC::sharedArrayBufferProtoGetterFuncByteLength):
3013         * runtime/JSArrayBufferView.cpp:
3014         (JSC::JSArrayBufferView::toStringName):
3015         * runtime/JSArrayInlines.h:
3016         (JSC::JSArray::pushInline):
3017         * runtime/JSBigInt.cpp:
3018         (JSC::JSBigInt::divide):
3019         (JSC::JSBigInt::remainder):
3020         (JSC::JSBigInt::toNumber const):
3021         * runtime/JSCJSValue.cpp:
3022         (JSC::JSValue::putToPrimitive):
3023         (JSC::JSValue::putToPrimitiveByIndex):
3024         (JSC::JSValue::toStringSlowCase const):
3025         * runtime/JSCJSValueInlines.h:
3026         (JSC::toPreferredPrimitiveType):
3027         * runtime/JSDataView.cpp:
3028         (JSC::JSDataView::create):
3029         (JSC::JSDataView::put):
3030         (JSC::JSDataView::defineOwnProperty):
3031         * runtime/JSDataViewPrototype.cpp:
3032         (JSC::getData):
3033         (JSC::setData):
3034         * runtime/JSFunction.cpp:
3035         (JSC::JSFunction::callerGetter):
3036         (JSC::JSFunction::put):
3037         (JSC::JSFunction::defineOwnProperty):
3038         * runtime/JSGenericTypedArrayView.h:
3039         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3040         (JSC::constructGenericTypedArrayViewWithArguments):
3041         (JSC::constructGenericTypedArrayView):
3042         * runtime/JSGenericTypedArrayViewInlines.h:
3043         (JSC::JSGenericTypedArrayView<Adaptor>::deleteProperty):
3044         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3045         (JSC::speciesConstruct):
3046         (JSC::genericTypedArrayViewProtoFuncSet):
3047         (JSC::genericTypedArrayViewProtoFuncIndexOf):
3048         (JSC::genericTypedArrayViewProtoFuncLastIndexOf):
3049         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3050         * runtime/JSGlobalObject.cpp:
3051         (JSC::JSGlobalObject::init):
3052         * runtime/JSGlobalObjectDebuggable.cpp:
3053         (JSC::JSGlobalObjectDebuggable::name const):
3054         * runtime/JSGlobalObjectFunctions.cpp:
3055         (JSC::encode):
3056         (JSC::decode):
3057         (JSC::globalFuncProtoSetter):
3058         * runtime/JSGlobalObjectFunctions.h:
3059         * runtime/JSMap.cpp:
3060         (JSC::JSMap::toStringName):
3061         * runtime/JSModuleEnvironment.cpp:
3062         (JSC::JSModuleEnvironment::put):
3063         * runtime/JSModuleNamespaceObject.cpp:
3064         (JSC::JSModuleNamespaceObject::put):
3065         (JSC::JSModuleNamespaceObject::putByIndex):
3066         (JSC::JSModuleNamespaceObject::defineOwnProperty):
3067         * runtime/JSONObject.cpp:
3068         (JSC::Stringifier::appendStringifiedValue):
3069         (JSC::JSONProtoFuncParse):
3070         (JSC::JSONProtoFuncStringify):
3071         * runtime/JSObject.cpp:
3072         (JSC::getClassPropertyNames):
3073         (JSC::JSObject::calculatedClassName):
3074         (JSC::ordinarySetSlow):
3075         (JSC::JSObject::putInlineSlow):
3076         (JSC::JSObject::setPrototypeWithCycleCheck):
3077         (JSC::callToPrimitiveFunction):
3078         (JSC::JSObject::ordinaryToPrimitive const):
3079         (JSC::JSObject::defaultHasInstance):
3080         (JSC::JSObject::defineOwnIndexedProperty):
3081         (JSC::JSObject::putByIndexBeyondVectorLengthWithArrayStorage):
3082         (JSC::JSObject::putDirectIndexBeyondVectorLengthWithArrayStorage):
3083         (JSC::validateAndApplyPropertyDescriptor):
3084         * runtime/JSObject.h:
3085         * runtime/JSObjectInlines.h:
3086         (JSC::JSObject::putInlineForJSObject):
3087         * runtime/JSPromiseConstructor.cpp:
3088         (JSC::JSPromiseConstructor::finishCreation):
3089         * runtime/JSSet.cpp:
3090         (JSC::JSSet::toStringName):
3091         * runtime/JSSymbolTableObject.h:
3092         (JSC::symbolTablePut):
3093         * runtime/JSTypedArrayViewConstructor.cpp:
3094         (JSC::constructTypedArrayView):
3095         * runtime/JSTypedArrayViewPrototype.cpp:
3096         (JSC::typedArrayViewPrivateFuncLength):
3097         (JSC::typedArrayViewProtoFuncSet):
3098         (JSC::typedArrayViewProtoFuncCopyWithin):
3099         (JSC::typedArrayViewProtoFuncLastIndexOf):
3100         (JSC::typedArrayViewProtoFuncIndexOf):
3101         (JSC::typedArrayViewProtoFuncJoin):
3102         (JSC::typedArrayViewProtoGetterFuncBuffer):
3103         (JSC::typedArrayViewProtoGetterFuncLength):
3104         (JSC::typedArrayViewProtoGetterFuncByteLength):
3105         (JSC::typedArrayViewProtoGetterFuncByteOffset):
3106         (JSC::typedArrayViewProtoFuncReverse):
3107         (JSC::typedArrayViewPrivateFuncSubarrayCreate):
3108         (JSC::typedArrayViewProtoFuncSlice):
3109         (JSC::JSTypedArrayViewPrototype::finishCreation):
3110         * runtime/JSWeakMap.cpp:
3111         (JSC::JSWeakMap::toStringName):
3112         * runtime/JSWeakSet.cpp:
3113         (JSC::JSWeakSet::toStringName):
3114         * runtime/LiteralParser.cpp:
3115         (JSC::LiteralParser<CharType>::Lexer::lex):
3116         (JSC::LiteralParser<CharType>::Lexer::lexStringSlow):
3117         (JSC::LiteralParser<CharType>::Lexer::lexNumber):
3118         (JSC::LiteralParser<CharType>::parse):
3119         * runtime/LiteralParser.h:
3120         (JSC::LiteralParser::getErrorMessage):
3121         * runtime/Lookup.cpp:
3122         (JSC::reifyStaticAccessor):
3123         * runtime/Lookup.h:
3124         (JSC::putEntry):
3125         * runtime/MapPrototype.cpp:
3126         (JSC::getMap):
3127         * runtime/NullSetterFunction.cpp:
3128         (JSC::NullSetterFunctionInternal::callReturnUndefined):
3129         * runtime/NumberPrototype.cpp:
3130         (JSC::numberProtoFuncToExponential):
3131         (JSC::numberProtoFuncToFixed):
3132         (JSC::numberProtoFuncToPrecision):
3133         (JSC::extractToStringRadixArgument):
3134         * runtime/ObjectConstructor.cpp:
3135         (JSC::objectConstructorSetPrototypeOf):
3136         (JSC::objectConstructorAssign):
3137         (JSC::objectConstructorValues):
3138         (JSC::toPropertyDescriptor):
3139         (JSC::objectConstructorDefineProperty):
3140         (JSC::objectConstructorDefineProperties):
3141         (JSC::objectConstructorCreate):
3142         (JSC::objectConstructorSeal):
3143         (JSC::objectConstructorFreeze):
3144         * runtime/ObjectPrototype.cpp:
3145         (JSC::objectProtoFuncDefineGetter):
3146         (JSC::objectProtoFuncDefineSetter):
3147         * runtime/Operations.cpp:
3148         (JSC::jsAddSlowCase):
3149         * runtime/Operations.h:
3150         (JSC::jsSub):
3151         (JSC::jsMul):
3152         * runtime/ProgramExecutable.cpp:
3153         (JSC::ProgramExecutable::initializeGlobalProperties):
3154         * runtime/ProxyConstructor.cpp:
3155         (JSC::makeRevocableProxy):
3156         (JSC::proxyRevocableConstructorThrowError):
3157         (JSC::ProxyConstructor::finishCreation):
3158         (JSC::constructProxyObject):
3159         * runtime/ProxyObject.cpp:
3160         (JSC::ProxyObject::toStringName):
3161         (JSC::ProxyObject::finishCreation):
3162         (JSC::performProxyGet):
3163         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3164         (JSC::ProxyObject::performHasProperty):
3165         (JSC::ProxyObject::performPut):
3166         (JSC::performProxyCall):
3167         (JSC::performProxyConstruct):
3168         (JSC::ProxyObject::performDelete):
3169         (JSC::ProxyObject::performPreventExtensions):
3170         (JSC::ProxyObject::performIsExtensible):
3171         (JSC::ProxyObject::performDefineOwnProperty):
3172         (JSC::ProxyObject::performGetOwnPropertyNames):
3173         (JSC::ProxyObject::performSetPrototype):
3174         (JSC::ProxyObject::performGetPrototype):
3175         * runtime/ReflectObject.cpp:
3176         (JSC::reflectObjectConstruct):
3177         (JSC::reflectObjectDefineProperty):
3178         (JSC::reflectObjectGet):
3179         (JSC::reflectObjectGetOwnPropertyDescriptor):
3180         (JSC::reflectObjectGetPrototypeOf):
3181         (JSC::reflectObjectIsExtensible):
3182         (JSC::reflectObjectOwnKeys):
3183         (JSC::reflectObjectPreventExtensions):
3184         (JSC::reflectObjectSet):
3185         (JSC::reflectObjectSetPrototypeOf):
3186         * runtime/RegExpConstructor.cpp:
3187         (JSC::RegExpConstructor::finishCreation):
3188         (JSC::toFlags):
3189         * runtime/RegExpObject.cpp:
3190         (JSC::RegExpObject::defineOwnProperty):
3191         * runtime/RegExpObject.h:
3192         * runtime/RegExpPrototype.cpp:
3193         (JSC::regExpProtoFuncCompile):
3194         (JSC::regExpProtoGetterGlobal):
3195         (JSC::regExpProtoGetterIgnoreCase):
3196         (JSC::regExpProtoGetterMultiline):
3197         (JSC::regExpProtoGetterDotAll):
3198         (JSC::regExpProtoGetterSticky):
3199         (JSC::regExpProtoGetterUnicode):
3200         (JSC::regExpProtoGetterFlags):
3201         (JSC::regExpProtoGetterSourceInternal):
3202         (JSC::regExpProtoGetterSource):
3203         * runtime/RuntimeType.cpp:
3204         (JSC::runtimeTypeAsString):
3205         * runtime/SamplingProfiler.cpp:
3206         (JSC::SamplingProfiler::StackFrame::displayName):
3207         (JSC::SamplingProfiler::StackFrame::displayNameForJSONTests):
3208         * runtime/ScriptExecutable.cpp:
3209         (JSC::ScriptExecutable::prepareForExecutionImpl):
3210         * runtime/SetPrototype.cpp:
3211         (JSC::getSet):
3212         * runtime/SparseArrayValueMap.cpp:
3213         (JSC::SparseArrayValueMap::putEntry):
3214         (JSC::SparseArrayValueMap::putDirect):
3215         (JSC::SparseArrayEntry::put):
3216         * runtime/StackFrame.cpp:
3217         (JSC::StackFrame::sourceURL const):
3218         (JSC::StackFrame::functionName const):
3219         * runtime/StringConstructor.cpp:
3220         (JSC::stringFromCodePoint):
3221         * runtime/StringObject.cpp:
3222         (JSC::StringObject::put):
3223         (JSC::StringObject::putByIndex):
3224         * runtime/StringPrototype.cpp:
3225         (JSC::StringPrototype::finishCreation):
3226         (JSC::toLocaleCase):
3227         (JSC::stringProtoFuncNormalize):
3228         * runtime/Symbol.cpp:
3229         (JSC::Symbol::toNumber const):
3230         * runtime/SymbolConstructor.cpp:
3231         (JSC::symbolConstructorKeyFor):
3232         * runtime/SymbolObject.cpp:
3233         (JSC::SymbolObject::toStringName):
3234         * runtime/SymbolPrototype.cpp:
3235         (JSC::SymbolPrototype::finishCreation):
3236         * runtime/TypeSet.cpp:
3237         (JSC::TypeSet::dumpTypes const):
3238         (JSC::TypeSet::displayName const):
3239         (JSC::StructureShape::leastCommonAncestor):
3240         * runtime/TypeSet.h:
3241         (JSC::StructureShape::setConstructorName):
3242         * runtime/VM.cpp:
3243         (JSC::VM::dumpTypeProfilerData):
3244         * runtime/WeakMapPrototype.cpp:
3245         (JSC::getWeakMap):
3246         (JSC::protoFuncWeakMapSet):
3247         * runtime/WeakSetPrototype.cpp:
3248         (JSC::getWeakSet):
3249         (JSC::protoFuncWeakSetAdd):
3250         * tools/JSDollarVM.cpp:
3251         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
3252         (WTF::DOMJITGetterComplex::customGetter):
3253         (JSC::functionSetImpureGetterDelegate):
3254         (JSC::functionCreateElement):
3255         (JSC::functionGetHiddenValue):
3256         (JSC::functionSetHiddenValue):
3257         (JSC::functionFindTypeForExpression):
3258         (JSC::functionReturnTypeFor):
3259         (JSC::functionLoadGetterFromGetterSetter):
3260         * wasm/WasmB3IRGenerator.cpp:
3261         (JSC::Wasm::B3IRGenerator::fail const):
3262         * wasm/WasmIndexOrName.cpp:
3263         (JSC::Wasm::makeString):
3264         * wasm/WasmParser.h:
3265         (JSC::Wasm::FailureHelper::makeString):
3266         (JSC::Wasm::Parser::fail const):
3267         * wasm/WasmPlan.cpp:
3268         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
3269         * wasm/WasmValidate.cpp:
3270         (JSC::Wasm::Validate::fail const):
3271         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3272         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3273         * wasm/js/JSWebAssemblyHelpers.h:
3274         (JSC::toNonWrappingUint32):
3275         (JSC::getWasmBufferFromValue):
3276         * wasm/js/JSWebAssemblyInstance.cpp:
3277         (JSC::JSWebAssemblyInstance::create):
3278         * wasm/js/JSWebAssemblyMemory.cpp:
3279         (JSC::JSWebAssemblyMemory::grow):
3280         * wasm/js/WasmToJS.cpp:
3281         (JSC::Wasm::handleBadI64Use):
3282         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3283         (JSC::WebAssemblyCompileErrorConstructor::finishCreation):
3284         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3285         (JSC::constructJSWebAssemblyInstance):
3286         (JSC::WebAssemblyInstanceConstructor::finishCreation):
3287         * wasm/js/WebAssemblyInstancePrototype.cpp:
3288         (JSC::getInstance):
3289         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3290         (JSC::WebAssemblyLinkErrorConstructor::finishCreation):
3291         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3292         (JSC::constructJSWebAssemblyMemory):
3293         (JSC::WebAssemblyMemoryConstructor::finishCreation):
3294         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3295         (JSC::getMemory):
3296         * wasm/js/WebAssemblyModuleConstructor.cpp:
3297         (JSC::webAssemblyModuleCustomSections):
3298         (JSC::webAssemblyModuleImports):
3299         (JSC::webAssemblyModuleExports):
3300         (JSC::WebAssemblyModuleConstructor::finishCreation):
3301         * wasm/js/WebAssemblyModuleRecord.cpp:
3302         (JSC::WebAssemblyModuleRecord::link):
3303         (JSC::dataSegmentFail):
3304         (JSC::WebAssemblyModuleRecord::evaluate):
3305         * wasm/js/WebAssemblyPrototype.cpp:
3306         (JSC::resolve):
3307         (JSC::webAssemblyInstantiateFunc):
3308         (JSC::webAssemblyInstantiateStreamingInternal):
3309         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3310         (JSC::WebAssemblyRuntimeErrorConstructor::finishCreation):
3311         * wasm/js/WebAssemblyTableConstructor.cpp:
3312         (JSC::constructJSWebAssemblyTable):
3313         (JSC::WebAssemblyTableConstructor::finishCreation):
3314         * wasm/js/WebAssemblyTablePrototype.cpp:
3315         (JSC::getTable):
3316         (JSC::webAssemblyTableProtoFuncGrow):
3317         (JSC::webAssemblyTableProtoFuncGet):
3318         (JSC::webAssemblyTableProtoFuncSet):
3319
3320 2018-06-22  Keith Miller  <keith_miller@apple.com>
3321
3322         unshift should zero unused property storage
3323         https://bugs.webkit.org/show_bug.cgi?id=186960
3324
3325         Reviewed by Saam Barati.
3326
3327         Also, this patch adds the zeroed unused property storage assertion